whocaresaboutit
asked on
CISCO IOS CONFIG
A newly configured cisco firewall (using the UC520), I need to configure rules for mail server.
- SMTP server (for incoming email)
- RPC over http (outlook anywhere)
- OWA publishing (publish)
- Active Sync (for mobile devices)
I have access to the firewall using serial cable.
Using sample a) external and internal IP's. b) wan and lan ports, c) domain names, can someone help with the command lines for this?
- SMTP server (for incoming email)
- RPC over http (outlook anywhere)
- OWA publishing (publish)
- Active Sync (for mobile devices)
I have access to the firewall using serial cable.
Using sample a) external and internal IP's. b) wan and lan ports, c) domain names, can someone help with the command lines for this?
willbaclimon
Please uploaded a blank config so we can verify ports and syntanx
ASKER
it's a uc520... so, because it's both data and phones the basic config is veeeery lengthy...
You said firewall, so are you using CBAC? If so, here's a sample config:
ip access-list extended OUTSIDE_IN
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
deny ip any any
!
!
ip inspect name INBOUND smtp
ip inspect name INBOUND ftp
ip inspect name INBOUND tcp
ip inspect name INBOUND udp
ip inspect name INBOUND icmp
ip inspect name INBOUND rpc
!
!
interface Fa0/0
desc Outside Interface
ip inspect INBOUND out
!
This gives you an ACL blocking nearly everything inbound, which you would modify to allow the ports you will be using. It then has a CBAC (inspect) config to watch the traffic going out and open the incoming ports it will need. You can use CBAC to match various traffic, it will depend mostly on your IOS version.
ip access-list extended OUTSIDE_IN
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
deny ip any any
!
!
ip inspect name INBOUND smtp
ip inspect name INBOUND ftp
ip inspect name INBOUND tcp
ip inspect name INBOUND udp
ip inspect name INBOUND icmp
ip inspect name INBOUND rpc
!
!
interface Fa0/0
desc Outside Interface
ip inspect INBOUND out
!
This gives you an ACL blocking nearly everything inbound, which you would modify to allow the ports you will be using. It then has a CBAC (inspect) config to watch the traffic going out and open the incoming ports it will need. You can use CBAC to match various traffic, it will depend mostly on your IOS version.
ASKER
Something seems to be missing though. This goes as far as allowing inbound traffic for those protocols.
We need to route all of those requests to the mail server sitting behind the firewall, right?
We need to route all of those requests to the mail server sitting behind the firewall, right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.