Posted on 2010-01-04
Last Modified: 2012-05-08
A newly configured cisco firewall (using the UC520), I need to configure rules for mail server.

- SMTP server (for incoming email)
- RPC over http (outlook anywhere)
- OWA publishing (publish)
- Active Sync (for mobile devices)

I have access to the firewall using serial cable.

Using sample a) external and internal IP's. b) wan and lan ports, c)  domain names, can someone help with the command lines for this?
Question by:whocaresaboutit
    LVL 7

    Expert Comment

    Please uploaded a blank config so we can verify ports and syntanx

    Author Comment

    it's a uc520... so, because it's both data and phones the basic config is veeeery lengthy...
    LVL 9

    Expert Comment

    You said firewall, so are you using CBAC? If so, here's a sample config:
    ip access-list extended OUTSIDE_IN
     deny   ip host any
     deny   ip any
     deny   ip any
     deny   ip any
     deny   ip any
     deny   ip any
     deny   ip any
     permit icmp any any echo-reply
     permit icmp any any time-exceeded
     deny   ip any any
    ip inspect name INBOUND smtp
    ip inspect name INBOUND ftp
    ip inspect name INBOUND tcp
    ip inspect name INBOUND udp
    ip inspect name INBOUND icmp
    ip inspect name INBOUND rpc
    interface Fa0/0
     desc Outside Interface
     ip inspect INBOUND out

    This gives you an ACL blocking nearly everything inbound, which you would modify to allow the ports you will be using. It then has a CBAC (inspect) config to watch the traffic going out and open the incoming ports it will need. You can use CBAC to match various traffic, it will depend mostly on your IOS version.

    Author Comment

    Something seems to be missing though. This goes as far as allowing inbound traffic for those protocols.

    We need to route all of those requests to the mail server sitting behind the firewall, right?

    LVL 9

    Accepted Solution

    Ok, so you also need Static NAT statements. Do you have multiple public IPs to use? Here is a sample:

    ip nat inside source static tcp <inside IP> <inside port> <outside IP or interface> <outside port>

    ip nat inside source static tcp 8081 8081
    ip nat inside source static tcp 3389 interface fa0/0 3389

    If you have multiple publics, you could do 1:! NAT like this:
    ip nat inside source static <inside IP> <outside IP>
    ip nat inside source static
    ip nat inside source static

    Then you would allow these protocols in the OUTSIDE_IN ACL.

    If you need more, please provide more information or a more detailed description.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now