CISCO IOS CONFIG

A newly configured cisco firewall (using the UC520), I need to configure rules for mail server.

- SMTP server (for incoming email)
- RPC over http (outlook anywhere)
- OWA publishing (publish)
- Active Sync (for mobile devices)

I have access to the firewall using serial cable.

Using sample a) external and internal IP's. b) wan and lan ports, c)  domain names, can someone help with the command lines for this?
whocaresaboutitAsked:
Who is Participating?
 
Vito_CorleoneConnect With a Mentor Commented:
Ok, so you also need Static NAT statements. Do you have multiple public IPs to use? Here is a sample:

ip nat inside source static tcp <inside IP> <inside port> <outside IP or interface> <outside port>

ip nat inside source static tcp 192.168.15.20 8081 1.1.1.1 8081
or
ip nat inside source static tcp 192.168.25.10 3389 interface fa0/0 3389

If you have multiple publics, you could do 1:! NAT like this:
ip nat inside source static <inside IP> <outside IP>
ip nat inside source static 192.168.25.20 1.1.1.1
ip nat inside source static 192.168.25.10 1.1.1.2

Then you would allow these protocols in the OUTSIDE_IN ACL.

If you need more, please provide more information or a more detailed description.

0
 
willbaclimonCommented:
Please uploaded a blank config so we can verify ports and syntanx
0
 
whocaresaboutitAuthor Commented:
it's a uc520... so, because it's both data and phones the basic config is veeeery lengthy...
0
 
Vito_CorleoneCommented:
You said firewall, so are you using CBAC? If so, here's a sample config:
ip access-list extended OUTSIDE_IN
 deny   ip host 0.0.0.0 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 deny   ip any any
!
!
ip inspect name INBOUND smtp
ip inspect name INBOUND ftp
ip inspect name INBOUND tcp
ip inspect name INBOUND udp
ip inspect name INBOUND icmp
ip inspect name INBOUND rpc
!
!
interface Fa0/0
 desc Outside Interface
 ip inspect INBOUND out
!

This gives you an ACL blocking nearly everything inbound, which you would modify to allow the ports you will be using. It then has a CBAC (inspect) config to watch the traffic going out and open the incoming ports it will need. You can use CBAC to match various traffic, it will depend mostly on your IOS version.
0
 
whocaresaboutitAuthor Commented:
Something seems to be missing though. This goes as far as allowing inbound traffic for those protocols.

We need to route all of those requests to the mail server sitting behind the firewall, right?

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.