Link to home
Start Free TrialLog in
Avatar of mxrider_420
mxrider_420

asked on

Cisco Exchange 2010 and SendLabs

My ISP blocks port 25 so i am using a relay service to port 52525. It works when i implement a home router with no firewall perfectly but when i implement my Cisco router it doesnt go through even tho i created rules to allow it. i am confused. does cisco inspection look at the header and the way the packet is assembled and discard non port 25 packets because the signature isnt "correct"

also i am kind of hoping to NOT make my  mail server an open relay! lol and only accept mail from the SendLabs servers. they have a list of IP's to allow but everything works on my send connector when it specifies allowed networks 0.0.0.0-255.255.255.255 but not when i delete that and add their IP range.

any ideas?
Avatar of DewFreak
DewFreak
Flag of United States of America image

Post sho run
Avatar of mxrider_420
mxrider_420

ASKER

       
For your eyes to see easier i put <------- ALLOWED where the rule is. thanks




no ip bootp server
ip domain name intra.xxxxxx.ca
ip name-server 192.168.1.59
ip name-server 192.168.1.60
ip name-server 64.59.176.13
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW esmtp
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 imap
ip inspect name sdm_ins_in_100 pop3
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 tcp router-traffic
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 imaps
ip inspect name sdm_ins_in_100 http
ip inspect name VLAN90-interneal tcp
ip inspect name VLAN90-interneal udp
ip inspect name VLAN90-interneal dns
ip inspect name VLAN90-interneal ica
ip inspect name VLAN90-interneal ssh
ip inspect name VLAN90-interneal http urlfilter
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips name sdm_ips_rule
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit facebook.com
ip urlfilter exclusive-domain deny 192.168.1.150
ip urlfilter exclusive-domain deny 192.168.1.1
ip urlfilter exclusive-domain deny 192.168.1.90
ip urlfilter exclusive-domain deny 192.168.1.7
ip urlfilter exclusive-domain deny ftp
ip urlfilter exclusive-domain deny 192.168.1.92
ip urlfilter exclusive-domain deny 192.168.1.149
ip urlfilter exclusive-domain deny 192.168.1.180
ip urlfilter exclusive-domain deny 192.168.1.179
ip urlfilter exclusive-domain deny cisco
ip urlfilter exclusive-domain deny 192.168.1.70
ip urlfilter exclusive-domain deny cisco.local
ip urlfilter exclusive-domain deny 192.168.1.55
ip urlfilter urlf-server-log
ip ddns update method dyndns
 HTTP
  add http://xxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
 interval maximum 1 0 0 0
!
ip ddns update method connect.xxxxx.ca
 DDNS
 interval maximum 28 0 0 0
 interval minimum 28 0 0 0
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 104 in
 ip access-group block-guest out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 speed auto
 full-duplex
 no cdp enable
 no mop enabled
!
interface FastEthernet0/0.5
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 90
 ip address 172.17.17.20 255.255.255.0
 ip access-group 106 in
 ip helper-address 192.168.1.59
 ip helper-address 192.168.1.60
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect VLAN90-interneal in
 ip inspect VLAN90-interneal out
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/0.20
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 20
 ip address 172.25.146.6 255.255.255.0
 ip access-group 108 in
 ip helper-address 192.168.1.59
 ip helper-address 192.168.1.60
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip ips sdm_ips_rule in
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/0.26
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 26
 ip address 192.168.9.1 255.255.255.0
 ip access-group 111 out
 ip helper-address 192.168.1.59
 ip helper-address 192.168.1.60
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface FastEthernet0/1
 description $ETH-WAN$$FW_OUTSIDE$
 ip ddns update hostname connect.exchangesolution.ca
 ip ddns update dyndns
 ip address dhcp client-id FastEthernet0/1
 ip access-group 109 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
router rip
 version 2
 passive-interface FastEthernet0/0.5
 passive-interface FastEthernet0/0.20
 passive-interface FastEthernet0/0.26
 passive-interface FastEthernet0/1
 network 172.17.0.0
 network 172.20.0.0
 network 172.25.0.0
 network 192.168.1.0
 network 192.168.9.0
!
ip forward-protocol nd
ip route 172.17.17.0 255.255.255.0 FastEthernet0/1 permanent
ip route 172.20.60.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.25.146.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.168.9.0 255.255.255.0 FastEthernet0/1 permanent
!
!        
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source static udp 192.168.1.57 52525 interface FastEthernet0/1 52525  <---------- ALLOWED
ip nat inside source static tcp 192.168.1.57 52525 interface FastEthernet0/1 52525 <---------- ALSO ALLOWED
ip nat inside source static tcp 192.168.1.57 2525 interface FastEthernet0/1 2525
ip nat inside source static udp 192.168.1.57 2525 interface FastEthernet0/1 2525
ip nat inside source static udp 192.168.1.57 24 interface FastEthernet0/1 24
ip nat inside source static tcp 192.168.1.57 24 interface FastEthernet0/1 24
ip nat inside source static tcp 192.168.9.18 8602 interface FastEthernet0/1 8602
ip nat inside source static udp 192.168.9.18 88 interface FastEthernet0/1 88
ip nat inside source static udp 192.168.9.18 3074 interface FastEthernet0/1 3074
ip nat inside source static tcp 192.168.9.18 3074 interface FastEthernet0/1 3074
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
!
ip access-list extended block-guest
 remark SDM_ACL Category=17
 permit udp any eq 52525 any eq 52525 <----- ALLOWED
 permit tcp any eq 52525 any eq 52525 <------- ALLOWED
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 15871
 permit tcp any eq 24 any eq 24
 permit udp any eq 24 any eq 24
 permit udp any eq 2525 any eq 2525
 permit tcp any eq 2525 any eq 2525
 permit udp any eq ntp any eq ntp
 permit udp any host 192.168.1.58 eq domain
 permit udp any host 192.168.1.58 eq bootpc
 deny   ip 172.25.146.0 0.0.0.255 any
 permit ip any any
ip access-list extended printer
 permit ip host 172.17.17.35 any
ip access-list extended printer-allowed
 permit tcp any any eq 9100
ip access-list extended sdm_fastethernet0/0.1_in
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.20.60.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 172.17.17.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 172.17.17.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any eq ntp any eq ntp
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit udp any any
access-list 101 permit udp any any
access-list 101 permit ip host 192.168.1.16 any
access-list 101 permit ip host 192.168.1.17 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq ftp
access-list 101 remark auto cess-list 101 permit udp any eq ntp any eqsudp any eq bootps any eq bootps
access-list 101 permit udp any eq bootps any eq bootpc
access-list 102 deny   ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any eq 52525 any eq 52525   <------- ALLOWED
access-list 104 permit udp any eq 52525 any eq 52525  <------- ALLOWED
access-list 104 permit udp any eq 2525 any eq 2525
access-list 104 permit tcp any eq 2525 any eq 2525
access-list 104 permit tcp any eq 24 any eq 24
access-list 104 permit udp any eq 24 any eq 24
access-list 104 permit udp host 192.168.1.58 eq domain any
access-list 104 permit udp host 192.168.1.59 eq domain any
access-list 104 permit udp host 192.168.1.59 eq 15868 host 192.168.1.1
access-list 104 permit udp host 192.168.1.58 eq 15868 host 192.168.1.1
access-list 104 permit tcp any eq 9100 any eq 9100
access-list 104 permit udp any eq 9100 any eq 9100
access-list 104 permit ip 172.17.17.0 0.0.0.255 any
access-list 104 permit udp 172.17.17.0 0.0.0.255 any
access-list 104 permit tcp 172.17.17.0 0.0.0.255 any
access-list 104 remark Auto generated by SDM for NTP (123) time.nist.com
access-list 104 permit udp host 74.54.82.185 eq ntp host 192.168.1.1 eq ntp
access-list 104 permit tcp 172.17.17.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 104 remark Auto generated  SDM for NTP (123ist 104 permit udp hntp host 192.168.4 permit tcp 19
access-list 104 permit tcp 172.17.17.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 172.25.146.6 eq 22
access-list 104 permit ip any host 224.0.0.9
access-list 104 permit udp any any eq rip
access-list 104 permit udp any any
access-list 104 permit ip any any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip any host 192.168.1.12
access-list 105 permit udp any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any eq 24 any eq 24
access-list 106 permit tcp any eq smtp any eq smtp
access-list 106 permit tcp any eq 9100 any eq 9100
access-list 106 permit udp any eq 9100 any eq 9100
access-list 106 permit udp any eq ntp any eq ntp
access-list 106 deny   ip 172.25.146.0 0.0.0.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 permit udp any any
access-list 107 remark 107
access-list 107 remark SDM_ACL Category=16
access-list 107 permit tcp any eq www any
access-list 107 permit ip host 192.168.1.14 any
access-list 107 permit ip host 192.168.1.15 any
access-list 107 permit ip host 192.168.1.16 any
access-list 107 permit ip host 192.168.1.17 any
access-list 107 permit udp any eq ntp any eq ntp
access-list 107 remark Auto generated by SDM for NTP (123) time.nist.com
access-list 107 permit udp host 74.54.82.185 eq ntp any eq ntp
access-list 107 permit tcp any any eq ftp
access-list 107 permit tcp any any eq 443
access-list 107 permit tcp any any eq www
access-list 107 permit ahp any any
access-list 107 permit esp any any
access-list 107 permit udp any any eq isakmp
access-list 107 permit udp any any eq non500-isakmp
access-list 107 permit udp any eq bootps any eq bootps
access-list 107 permit udp any eq bootps any eq bootpc
access-list 107 permit icmp any any echo-reply
access-list 107 permit icmp any any time-exceeded
access-list 107 permit icmp any any unreachable
access-list 107 deny   ip 10.0.0.0 0.255.255.255 any
access-list 107 permit ip host 192.168.1.12 any
access-list 107 permit ip host 192.168.1.13 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip any any log
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 permit tcp any eq 24 any eq 24
access-list 108 permit udp any eq ntp any eq ntp
access-list 108 permit ip any any
access-list 108 permit udp any any
access-list 109 remark SDM_ACL Category=1
access-list 109 permit tcp any eq 52525 any eq 52525   <------- ALLOWED
access-list 109 permit udp any eq 52525 any eq 52525   <------- ALLOWED
access-list 109 permit udp any eq 2525 any eq 2525
access-list 109 permit tcp any eq 2525 any eq 2525
access-list 109 permit udp any eq 24 any eq 24
access-list 109 permit tcp any eq 24 any eq 24
access-list 109 permit udp any any
access-list 109 remark smtp
access-list 109 permit tcp any eq smtp any eq smtp
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 permit udp host 64.59.176.15 eq domain any
access-list 109 permit tcp any any eq ftp
access-list 109 permit tcp any any eq 443
access-list 109 permit tcp any any eq www
access-list 109 permit udp host 64.59.176.13 eq domain any
access-list 109 remark Auto generated by SDM for NTP (123) 74.54.82.185
access-list 109 permit udp host 74.54.82.185 eq ntp any eq ntp
access-list 109 permit ahp any any
access-list 109 permit esp any any
access-list 109 permit udp any any eq isakmp
access-list 109 permit udp any any eq non500-isakmp
access-list 109 deny   ip 172.17.17.0 0.0.0.255 any
access-list 109 permit udp any eq bootps any eq bootps
access-list 109 permit udp any eq bootps any eq bootpc
access-list 109 permit icmp any any echo-reply
access-list 109 permit icmp any any time-exceeded
access-list 109 permit icmp any any unreachable
access-list 109 deny   ip 10.0.0.0 0.255.255.255 any
access-list 109 deny   ip 172.16.0.0 0.15.255.255 any
access-list 109 deny   ip 192.168.0.0 0.0.255.255 any
access-list 109 deny   ip 127.0.0.0 0.255.255.255 any
access-list 109 deny   ip host 255.255.255.255 any
access-list 109 deny   ip any any log
access-list 111 permit ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 10
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 012703055609140E31181C59
!
ntp server 74.54.82.185 source FastEthernet0/1 prefer
!
end
CanYouSeeMe.org

Your IP:      174.5.x.x
What Port?      52525

Error: I could not see your service on 174.5.180.195 on port (52525)
Reason: Connection timed out

when i replace Cisco 2651xm with my home $40 cisco router i get (i wanted to make sure ISP didnt block 52525 which it doesnt)

Success: I can see your service on 174.5.x.x on port (52525)
Please remove your type 7 password as it can be decrypted.

Please use enable secret password for MD5 encryption.
I have seen issues using high port numbers even though they are "available" the firewall may be using those ports for return traffic.  Have you tried any ports below 30000?
yes same issue as you can see i tried 2525 and 24 kept them for ease incase 52525 didnt work. does it look ok configuration wise?

how do i remove type 7?
ok, assume your mail server inside your network is listening on port 2525.  
yes it listening on 52525 and i can telnet to it inside. and like i said when i replace Cisco router with HOME unsecured router it works from external too. so it IS something to do with this cisco device...
COuld it be because the port mapping isnt right?
I want to concentrate on using port 2525 not the 52525 port since this could have inherent issues.  
okay i'll change it back. do you also suggest making a port map as well for this and the SMTP protocol?

same thing with port 2525... this router is driving me crazy! i think im going to buy a watchguard unit... anyone have any final ideas?... im about ready to smasht his thing! lol
WatchGuard, I say YES!  Always love replacing the ASA's with XTM's.  But, have you removed all the rules for port 52525?
access-list 104 permit udp any eq 2525  host 192.168.0.x eq 2525
access-list 104 permit tcp any eq 2525  host 192.168.0.x eq 2525

X is your internal mail server IP.
I am about to try this and see what happens. would you say YES to Watchguard x23 OVER Sonicwall NSA 240? im torn between the two. As much as i like Cisco i find configs take longer than they should yet im CCNA certified. maybe im just stupid but id rather spend more time on other tasks then fighting with equipment. Iv heard EXCELLENT things about both Watchguard AND SonicWall. your thoughts?...


ill post back in an hour or two when i get these configs done.
ASKER CERTIFIED SOLUTION
Avatar of DewFreak
DewFreak
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yea i think the x22 or 23 would be perfectly suited. besides ebay which i can prolly find one cheap do you know of any great retailers that offer great pricing?
We are a reseller.  I can get you a quote.
please do.
Also i agree personally i like
Cisco - routers
watchguard / sonicwall - firewall
HP procurve - switches
email info@lfitservices.com so I can get your email address.  Thanks.
done. check inbox thanks
Get rid of Cisco. Great answer :)