mxrider_420
asked on
Cisco Exchange 2010 and SendLabs
My ISP blocks port 25 so i am using a relay service to port 52525. It works when i implement a home router with no firewall perfectly but when i implement my Cisco router it doesnt go through even tho i created rules to allow it. i am confused. does cisco inspection look at the header and the way the packet is assembled and discard non port 25 packets because the signature isnt "correct"
also i am kind of hoping to NOT make my mail server an open relay! lol and only accept mail from the SendLabs servers. they have a list of IP's to allow but everything works on my send connector when it specifies allowed networks 0.0.0.0-255.255.255.255 but not when i delete that and add their IP range.
any ideas?
also i am kind of hoping to NOT make my mail server an open relay! lol and only accept mail from the SendLabs servers. they have a list of IP's to allow but everything works on my send connector when it specifies allowed networks 0.0.0.0-255.255.255.255 but not when i delete that and add their IP range.
any ideas?
Post sho run
ASKER
For your eyes to see easier i put <------- ALLOWED where the rule is. thanks
no ip bootp server
ip domain name intra.xxxxxx.ca
ip name-server 192.168.1.59
ip name-server 192.168.1.60
ip name-server 64.59.176.13
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW esmtp
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 imap
ip inspect name sdm_ins_in_100 pop3
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 tcp router-traffic
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 imaps
ip inspect name sdm_ins_in_100 http
ip inspect name VLAN90-interneal tcp
ip inspect name VLAN90-interneal udp
ip inspect name VLAN90-interneal dns
ip inspect name VLAN90-interneal ica
ip inspect name VLAN90-interneal ssh
ip inspect name VLAN90-interneal http urlfilter
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips name sdm_ips_rule
ip urlfilter allow-mode on
ip urlfilter exclusive-domain permit facebook.com
ip urlfilter exclusive-domain deny 192.168.1.150
ip urlfilter exclusive-domain deny 192.168.1.1
ip urlfilter exclusive-domain deny 192.168.1.90
ip urlfilter exclusive-domain deny 192.168.1.7
ip urlfilter exclusive-domain deny ftp
ip urlfilter exclusive-domain deny 192.168.1.92
ip urlfilter exclusive-domain deny 192.168.1.149
ip urlfilter exclusive-domain deny 192.168.1.180
ip urlfilter exclusive-domain deny 192.168.1.179
ip urlfilter exclusive-domain deny cisco
ip urlfilter exclusive-domain deny 192.168.1.70
ip urlfilter exclusive-domain deny cisco.local
ip urlfilter exclusive-domain deny 192.168.1.55
ip urlfilter urlf-server-log
ip ddns update method dyndns
HTTP
add http://xxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
!
ip ddns update method connect.xxxxx.ca
DDNS
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 192.168.1.1 255.255.255.0
ip access-group 104 in
ip access-group block-guest out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface FastEthernet0/0.5
description $FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 90
ip address 172.17.17.20 255.255.255.0
ip access-group 106 in
ip helper-address 192.168.1.59
ip helper-address 192.168.1.60
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect VLAN90-interneal in
ip inspect VLAN90-interneal out
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.20
description $FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 20
ip address 172.25.146.6 255.255.255.0
ip access-group 108 in
ip helper-address 192.168.1.59
ip helper-address 192.168.1.60
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.26
description $FW_INSIDE$$ETH-LAN$
encapsulation dot1Q 26
ip address 192.168.9.1 255.255.255.0
ip access-group 111 out
ip helper-address 192.168.1.59
ip helper-address 192.168.1.60
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname connect.exchangesolution.c
ip ddns update dyndns
ip address dhcp client-id FastEthernet0/1
ip access-group 109 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
router rip
version 2
passive-interface FastEthernet0/0.5
passive-interface FastEthernet0/0.20
passive-interface FastEthernet0/0.26
passive-interface FastEthernet0/1
network 172.17.0.0
network 172.20.0.0
network 172.25.0.0
network 192.168.1.0
network 192.168.9.0
!
ip forward-protocol nd
ip route 172.17.17.0 255.255.255.0 FastEthernet0/1 permanent
ip route 172.20.60.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.25.146.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.168.9.0 255.255.255.0 FastEthernet0/1 permanent
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source static udp 192.168.1.57 52525 interface FastEthernet0/1 52525 <---------- ALLOWED
ip nat inside source static tcp 192.168.1.57 52525 interface FastEthernet0/1 52525 <---------- ALSO ALLOWED
ip nat inside source static tcp 192.168.1.57 2525 interface FastEthernet0/1 2525
ip nat inside source static udp 192.168.1.57 2525 interface FastEthernet0/1 2525
ip nat inside source static udp 192.168.1.57 24 interface FastEthernet0/1 24
ip nat inside source static tcp 192.168.1.57 24 interface FastEthernet0/1 24
ip nat inside source static tcp 192.168.9.18 8602 interface FastEthernet0/1 8602
ip nat inside source static udp 192.168.9.18 88 interface FastEthernet0/1 88
ip nat inside source static udp 192.168.9.18 3074 interface FastEthernet0/1 3074
ip nat inside source static tcp 192.168.9.18 3074 interface FastEthernet0/1 3074
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.70 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.1.99 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.1.99 80 interface FastEthernet0/1 80
!
ip access-list extended block-guest
remark SDM_ACL Category=17
permit udp any eq 52525 any eq 52525 <----- ALLOWED
permit tcp any eq 52525 any eq 52525 <------- ALLOWED
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 15871
permit tcp any eq 24 any eq 24
permit udp any eq 24 any eq 24
permit udp any eq 2525 any eq 2525
permit tcp any eq 2525 any eq 2525
permit udp any eq ntp any eq ntp
permit udp any host 192.168.1.58 eq domain
permit udp any host 192.168.1.58 eq bootpc
deny ip 172.25.146.0 0.0.0.255 any
permit ip any any
ip access-list extended printer
permit ip host 172.17.17.35 any
ip access-list extended printer-allowed
permit tcp any any eq 9100
ip access-list extended sdm_fastethernet0/0.1_in
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.20.60.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 172.17.17.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 172.17.17.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any eq ntp any eq ntp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit udp any any
access-list 101 permit udp any any
access-list 101 permit ip host 192.168.1.16 any
access-list 101 permit ip host 192.168.1.17 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq ftp
access-list 101 remark auto cess-list 101 permit udp any eq ntp any eqsudp any eq bootps any eq bootps
access-list 101 permit udp any eq bootps any eq bootpc
access-list 102 deny ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any eq 52525 any eq 52525 <------- ALLOWED
access-list 104 permit udp any eq 52525 any eq 52525 <------- ALLOWED
access-list 104 permit udp any eq 2525 any eq 2525
access-list 104 permit tcp any eq 2525 any eq 2525
access-list 104 permit tcp any eq 24 any eq 24
access-list 104 permit udp any eq 24 any eq 24
access-list 104 permit udp host 192.168.1.58 eq domain any
access-list 104 permit udp host 192.168.1.59 eq domain any
access-list 104 permit udp host 192.168.1.59 eq 15868 host 192.168.1.1
access-list 104 permit udp host 192.168.1.58 eq 15868 host 192.168.1.1
access-list 104 permit tcp any eq 9100 any eq 9100
access-list 104 permit udp any eq 9100 any eq 9100
access-list 104 permit ip 172.17.17.0 0.0.0.255 any
access-list 104 permit udp 172.17.17.0 0.0.0.255 any
access-list 104 permit tcp 172.17.17.0 0.0.0.255 any
access-list 104 remark Auto generated by SDM for NTP (123) time.nist.com
access-list 104 permit udp host 74.54.82.185 eq ntp host 192.168.1.1 eq ntp
access-list 104 permit tcp 172.17.17.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 104 remark Auto generated SDM for NTP (123ist 104 permit udp hntp host 192.168.4 permit tcp 19
access-list 104 permit tcp 172.17.17.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 172.25.146.6 eq 22
access-list 104 permit ip any host 224.0.0.9
access-list 104 permit udp any any eq rip
access-list 104 permit udp any any
access-list 104 permit ip any any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip any host 192.168.1.12
access-list 105 permit udp any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any eq 24 any eq 24
access-list 106 permit tcp any eq smtp any eq smtp
access-list 106 permit tcp any eq 9100 any eq 9100
access-list 106 permit udp any eq 9100 any eq 9100
access-list 106 permit udp any eq ntp any eq ntp
access-list 106 deny ip 172.25.146.0 0.0.0.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 106 permit udp any any
access-list 107 remark 107
access-list 107 remark SDM_ACL Category=16
access-list 107 permit tcp any eq www any
access-list 107 permit ip host 192.168.1.14 any
access-list 107 permit ip host 192.168.1.15 any
access-list 107 permit ip host 192.168.1.16 any
access-list 107 permit ip host 192.168.1.17 any
access-list 107 permit udp any eq ntp any eq ntp
access-list 107 remark Auto generated by SDM for NTP (123) time.nist.com
access-list 107 permit udp host 74.54.82.185 eq ntp any eq ntp
access-list 107 permit tcp any any eq ftp
access-list 107 permit tcp any any eq 443
access-list 107 permit tcp any any eq www
access-list 107 permit ahp any any
access-list 107 permit esp any any
access-list 107 permit udp any any eq isakmp
access-list 107 permit udp any any eq non500-isakmp
access-list 107 permit udp any eq bootps any eq bootps
access-list 107 permit udp any eq bootps any eq bootpc
access-list 107 permit icmp any any echo-reply
access-list 107 permit icmp any any time-exceeded
access-list 107 permit icmp any any unreachable
access-list 107 deny ip 10.0.0.0 0.255.255.255 any
access-list 107 permit ip host 192.168.1.12 any
access-list 107 permit ip host 192.168.1.13 any
access-list 107 deny ip 127.0.0.0 0.255.255.255 any
access-list 107 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 107 deny ip host 255.255.255.255 any
access-list 107 deny ip any any log
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 permit tcp any eq 24 any eq 24
access-list 108 permit udp any eq ntp any eq ntp
access-list 108 permit ip any any
access-list 108 permit udp any any
access-list 109 remark SDM_ACL Category=1
access-list 109 permit tcp any eq 52525 any eq 52525 <------- ALLOWED
access-list 109 permit udp any eq 52525 any eq 52525 <------- ALLOWED
access-list 109 permit udp any eq 2525 any eq 2525
access-list 109 permit tcp any eq 2525 any eq 2525
access-list 109 permit udp any eq 24 any eq 24
access-list 109 permit tcp any eq 24 any eq 24
access-list 109 permit udp any any
access-list 109 remark smtp
access-list 109 permit tcp any eq smtp any eq smtp
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 permit udp host 64.59.176.15 eq domain any
access-list 109 permit tcp any any eq ftp
access-list 109 permit tcp any any eq 443
access-list 109 permit tcp any any eq www
access-list 109 permit udp host 64.59.176.13 eq domain any
access-list 109 remark Auto generated by SDM for NTP (123) 74.54.82.185
access-list 109 permit udp host 74.54.82.185 eq ntp any eq ntp
access-list 109 permit ahp any any
access-list 109 permit esp any any
access-list 109 permit udp any any eq isakmp
access-list 109 permit udp any any eq non500-isakmp
access-list 109 deny ip 172.17.17.0 0.0.0.255 any
access-list 109 permit udp any eq bootps any eq bootps
access-list 109 permit udp any eq bootps any eq bootpc
access-list 109 permit icmp any any echo-reply
access-list 109 permit icmp any any time-exceeded
access-list 109 permit icmp any any unreachable
access-list 109 deny ip 10.0.0.0 0.255.255.255 any
access-list 109 deny ip 172.16.0.0 0.15.255.255 any
access-list 109 deny ip 192.168.0.0 0.0.255.255 any
access-list 109 deny ip 127.0.0.0 0.255.255.255 any
access-list 109 deny ip host 255.255.255.255 any
access-list 109 deny ip any any log
access-list 111 permit ip 192.168.9.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 permit ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 10
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 012703055609140E31181C59
!
ntp server 74.54.82.185 source FastEthernet0/1 prefer
!
end
ASKER
CanYouSeeMe.org
Your IP: 174.5.x.x
What Port? 52525
Error: I could not see your service on 174.5.180.195 on port (52525)
Reason: Connection timed out
when i replace Cisco 2651xm with my home $40 cisco router i get (i wanted to make sure ISP didnt block 52525 which it doesnt)
Success: I can see your service on 174.5.x.x on port (52525)
Your IP: 174.5.x.x
What Port? 52525
Error: I could not see your service on 174.5.180.195 on port (52525)
Reason: Connection timed out
when i replace Cisco 2651xm with my home $40 cisco router i get (i wanted to make sure ISP didnt block 52525 which it doesnt)
Success: I can see your service on 174.5.x.x on port (52525)
Please remove your type 7 password as it can be decrypted.
Please use enable secret password for MD5 encryption.
Please use enable secret password for MD5 encryption.
I have seen issues using high port numbers even though they are "available" the firewall may be using those ports for return traffic. Have you tried any ports below 30000?
ASKER
yes same issue as you can see i tried 2525 and 24 kept them for ease incase 52525 didnt work. does it look ok configuration wise?
how do i remove type 7?
how do i remove type 7?
ok, assume your mail server inside your network is listening on port 2525.
ASKER
yes it listening on 52525 and i can telnet to it inside. and like i said when i replace Cisco router with HOME unsecured router it works from external too. so it IS something to do with this cisco device...
ASKER
COuld it be because the port mapping isnt right?
I want to concentrate on using port 2525 not the 52525 port since this could have inherent issues.
ASKER
okay i'll change it back. do you also suggest making a port map as well for this and the SMTP protocol?
ASKER
same thing with port 2525... this router is driving me crazy! i think im going to buy a watchguard unit... anyone have any final ideas?... im about ready to smasht his thing! lol
WatchGuard, I say YES! Always love replacing the ASA's with XTM's. But, have you removed all the rules for port 52525?
access-list 104 permit udp any eq 2525 host 192.168.0.x eq 2525
access-list 104 permit tcp any eq 2525 host 192.168.0.x eq 2525
X is your internal mail server IP.
access-list 104 permit tcp any eq 2525 host 192.168.0.x eq 2525
X is your internal mail server IP.
ASKER
I am about to try this and see what happens. would you say YES to Watchguard x23 OVER Sonicwall NSA 240? im torn between the two. As much as i like Cisco i find configs take longer than they should yet im CCNA certified. maybe im just stupid but id rather spend more time on other tasks then fighting with equipment. Iv heard EXCELLENT things about both Watchguard AND SonicWall. your thoughts?...
ill post back in an hour or two when i get these configs done.
ill post back in an hour or two when i get these configs done.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yea i think the x22 or 23 would be perfectly suited. besides ebay which i can prolly find one cheap do you know of any great retailers that offer great pricing?
We are a reseller. I can get you a quote.
ASKER
please do.
ASKER
Also i agree personally i like
Cisco - routers
watchguard / sonicwall - firewall
HP procurve - switches
Cisco - routers
watchguard / sonicwall - firewall
HP procurve - switches
email info@lfitservices.com so I can get your email address. Thanks.
ASKER
done. check inbox thanks
ASKER
Get rid of Cisco. Great answer :)