Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Publish imap to internet on a Cisco pix with ISA server

Posted on 2012-09-21
10
Medium Priority
?
889 Views
Last Modified: 2013-02-11
Hi Guys,

A client use a cisco pix, an isa server.
The only open port in 25 smtp.
Now I am trying to publish imap to get email on mobile phones.

On the pix I have add these additional rules in (red strong)
line 57, 89,301
Are the rules correct ? How to publish the imap on the isa server ?

Thanks

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password enO4Oszlec9w1AmAwd encrypted
passwd enOzsszc9w1AmzAwd encrypted
hostname xxxxxx
domain-name write
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network lan_to_out
  network-object host 192.168.100.98
  network-object host 192.168.100.134
  network-object host 192.168.100.136
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq ftp
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 host 172.16.0.2
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 8080
access-list from_lan permit udp host 192.168.100.21 any
access-list from_lan permit tcp host 192.168.100.21 any
access-list from_lan permit tcp host 192.168.100.12 host 172.16.0.2 eq smtp
access-list from_lan permit icmp host 192.168.100.18 any
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit tcp 192.168.101.0 255.255.255.0 host 172.16.0.2 eq ftp
access-list from_lan permit icmp 192.168.101.0 255.255.255.0 host 172.16.0.2
access-list from_lan permit tcp 192.168.101.0 255.255.255.0 host 172.16.0.2 eq 8080
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.2 eq 5900
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.2 eq netbios-ssn
access-list from_lan permit udp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq ntp
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq www
access-list from_lan permit udp host 192.168.100.22 any eq domain
access-list from_lan permit tcp host 192.168.100.18 any
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.1 eq 11813
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 8082
access-list from_lan permit tcp host 192.168.100.250 any eq https
access-list from_lan permit tcp host 192.168.100.250 any eq 7443
access-list from_lan permit tcp host 192.168.100.250 any eq 7444
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 3389
access-list from_lan permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.80 eq ftp
access-list from_lan permit tcp object-group lan_to_out any eq ftp
access-list from_lan permit udp 192.168.100.0 255.255.255.0 any eq ntp
access-list from_lan permit tcp host 192.168.100.11 172.16.0.0 255.255.255.0 eq smtp
[b]access-list from_lan permit tcp host 192.168.100.11 172.16.0.0 255.255.255.0 eq imap4[/b]
access-list from_lan permit tcp host 192.168.100.11 any eq domain
access-list from_lan permit udp host 192.168.100.11 any eq domain
access-list from_lan permit tcp host 192.168.100.11 any eq www
access-list from_lan permit tcp host 192.168.100.11 any eq https
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 any
access-list from_lan permit tcp host 192.168.100.16 any eq www
access-list from_lan permit tcp host 192.168.100.16 any eq https
access-list from_lan permit tcp host 192.168.100.28 any eq www
access-list from_lan permit tcp host 192.168.100.28 any eq https
access-list from_lan permit ip host 192.168.100.16 172.16.0.0 255.255.255.0
access-list from_lan permit ip host 192.168.100.28 172.16.0.0 255.255.255.0
access-list from_lan permit tcp object-group lan_to_out any eq telnet
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq https
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.85 eq www
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq www
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq telnet
access-list from_dmz permit tcp host 172.16.0.2 any eq smtp
access-list from_dmz permit tcp host 172.16.0.2 any eq www
access-list from_dmz permit tcp host 172.16.0.2 any eq ftp
access-list from_dmz permit tcp host 172.16.0.2 any eq https
access-list from_dmz permit tcp host 172.16.0.2 any eq domain
access-list from_dmz permit udp host 172.16.0.2 any eq domain
access-list from_dmz permit udp host 172.16.0.2 any eq ntp
access-list from_dmz permit tcp host 172.16.0.2 any eq 8082
access-list from_dmz permit tcp 172.16.0.0 255.255.255.0 host 192.168.100.11 eq smtp
[b]access-list from_dmz permit tcp 172.16.0.0 255.255.255.0 host 192.168.100.11 eq imap4[/b]
access-list from_dmz permit icmp host 172.16.0.2 host 172.16.0.28
access-list from_dmz permit ip 172.16.0.0 255.255.255.0 host 172.16.0.16
access-list from_dmz permit ip 172.16.0.0 255.255.255.0 host 172.16.0.28
access-list from_dmz permit icmp host 172.16.0.2 any
access-list from_internet permit tcp any host x.x.x.187 eq smtp
[b]access-list from_internet permit tcp any host x.x.x.187 eq imap4[/b]
access-list from_internet permit icmp any host x.x.x.187
access-list from_internet permit icmp any host x.x.x.186
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.103.0 255.255.255.240
access-list acl-split permit ip 192.168.103.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl-split permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_dmw permit ip 172.16.0.0 255.255.255.0 host 172.16.0.28
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.100.19
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.186 255.255.255.248
ip address inside 192.168.100.20 255.255.255.0
ip address dmz 172.16.0.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.103.1-192.168.103.10
pdm location 192.168.100.65 255.255.255.255 inside
pdm location 192.168.100.12 255.255.255.255 inside
pdm location 192.168.100.19 255.255.255.255 inside
pdm location 192.168.100.21 255.255.255.255 inside
pdm location 192.168.100.66 255.255.255.255 inside
pdm location 192.168.100.127 255.255.255.255 inside
pdm location 172.16.0.2 255.255.255.255 dmz
pdm location x.x.x.231 255.255.255.255 outside
pdm location x.x.x.231 255.255.255.255 outside
pdm location 192.168.96.0 255.255.255.0 inside
pdm location 192.168.101.0 255.255.255.0 inside
pdm location 192.168.100.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 172.16.0.30
global (dmz) 2 172.16.0.31
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (inside) 2 192.168.101.0 255.255.255.0 0 0
static (inside,dmz) 172.16.0.12 192.168.100.12 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.21 192.168.100.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.11 192.168.100.11 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.16 192.168.100.16 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.28 192.168.100.28 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.187 172.16.0.2 netmask 255.255.255.255 0 0
access-group from_internet in interface outside
access-group from_lan in interface inside
access-group from_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 46.35.18.185 1
route inside 172.16.10.0 255.255.255.252 192.168.100.7 1
route inside 192.168.96.0 255.255.255.0 192.168.100.5 1
route inside 192.168.101.0 255.255.255.0 192.168.100.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:01:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 172.16.0.2 source dmz prefer
http server enable
http 212.119.11.35 255.255.255.255 outside
http 192.168.100.21 255.255.255.255 inside
http 192.168.100.65 255.255.255.255 inside
http 192.168.100.66 255.255.255.255 inside
http 192.168.100.18 255.255.255.255 inside
http 192.168.100.28 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set jct esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map xxxxxx 20 ipsec-isakmp dynamic outside_dyn_map
crypto map xxxxxx client authentication LOCAL
crypto map xxxxx  interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp enable outside
isakmp key ******** address x.x.x.167 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
vpngroup password idle-time 1800
vpngroup xxx address-pool ippool
vpngroup xxx dns-server 192.168.100.28
vpngroup xxx wins-server 192.168.100.28
vpngroup xxx default-domain xxxxx.fr
vpngroup xxx split-tunnel acl-split
vpngroup xxx idle-time 1800
vpngroup xxx password ********
telnet x.x.x.145 255.255.255.255 outside
telnet 192.168.100.18 255.255.255.255 inside
telnet 192.168.100.24 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.25 255.255.255.255 outside
ssh x.x.x.104 255.255.255.255 outside
ssh x.x.x.3 255.255.255.255 outside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username xxxx password xxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:ec2cb2db06x353e95fc15c0c1f
: end

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password enO4Oszlec9w1AmAwd encrypted
passwd enOzsszc9w1AmzAwd encrypted
hostname xxxxxx
domain-name write
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network lan_to_out
  network-object host 192.168.100.98
  network-object host 192.168.100.134
  network-object host 192.168.100.136
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq ftp
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 host 172.16.0.2
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 8080
access-list from_lan permit udp host 192.168.100.21 any
access-list from_lan permit tcp host 192.168.100.21 any
access-list from_lan permit tcp host 192.168.100.12 host 172.16.0.2 eq smtp
access-list from_lan permit icmp host 192.168.100.18 any
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit tcp 192.168.101.0 255.255.255.0 host 172.16.0.2 eq ftp
access-list from_lan permit icmp 192.168.101.0 255.255.255.0 host 172.16.0.2
access-list from_lan permit tcp 192.168.101.0 255.255.255.0 host 172.16.0.2 eq 8080
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.2 eq 5900
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.2 eq netbios-ssn
access-list from_lan permit udp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq ntp
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq www
access-list from_lan permit udp host 192.168.100.22 any eq domain
access-list from_lan permit tcp host 192.168.100.18 any
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.1 eq 11813
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 8082
access-list from_lan permit tcp host 192.168.100.250 any eq https
access-list from_lan permit tcp host 192.168.100.250 any eq 7443
access-list from_lan permit tcp host 192.168.100.250 any eq 7444
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 3389
access-list from_lan permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.80 eq ftp
access-list from_lan permit tcp object-group lan_to_out any eq ftp
access-list from_lan permit udp 192.168.100.0 255.255.255.0 any eq ntp
access-list from_lan permit tcp host 192.168.100.11 172.16.0.0 255.255.255.0 eq smtp
access-list from_lan permit tcp host 192.168.100.11 172.16.0.0 255.255.255.0 eq imap4
access-list from_lan permit tcp host 192.168.100.11 any eq domain
access-list from_lan permit udp host 192.168.100.11 any eq domain
access-list from_lan permit tcp host 192.168.100.11 any eq www
access-list from_lan permit tcp host 192.168.100.11 any eq https
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 any
access-list from_lan permit tcp host 192.168.100.16 any eq www
access-list from_lan permit tcp host 192.168.100.16 any eq https
access-list from_lan permit tcp host 192.168.100.28 any eq www
access-list from_lan permit tcp host 192.168.100.28 any eq https
access-list from_lan permit ip host 192.168.100.16 172.16.0.0 255.255.255.0
access-list from_lan permit ip host 192.168.100.28 172.16.0.0 255.255.255.0
access-list from_lan permit tcp object-group lan_to_out any eq telnet
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq https
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.85 eq www
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq www
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq telnet
access-list from_dmz permit tcp host 172.16.0.2 any eq smtp
access-list from_dmz permit tcp host 172.16.0.2 any eq www
access-list from_dmz permit tcp host 172.16.0.2 any eq ftp
access-list from_dmz permit tcp host 172.16.0.2 any eq https
access-list from_dmz permit tcp host 172.16.0.2 any eq domain
access-list from_dmz permit udp host 172.16.0.2 any eq domain
access-list from_dmz permit udp host 172.16.0.2 any eq ntp
access-list from_dmz permit tcp host 172.16.0.2 any eq 8082
access-list from_dmz permit tcp 172.16.0.0 255.255.255.0 host 192.168.100.11 eq smtp
access-list from_dmz permit tcp 172.16.0.0 255.255.255.0 host 192.168.100.11 eq smtp
access-list from_dmz permit icmp host 172.16.0.2 host 172.16.0.28
access-list from_dmz permit ip 172.16.0.0 255.255.255.0 host 172.16.0.16
access-list from_dmz permit ip 172.16.0.0 255.255.255.0 host 172.16.0.28
access-list from_dmz permit icmp host 172.16.0.2 any
access-list from_internet permit tcp any host x.x.x.187 eq smtp
access-list from_internet permit tcp any host x.x.x.187 eq imap4
access-list from_internet permit icmp any host x.x.x.187
access-list from_internet permit icmp any host x.x.x.186
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.103.0 255.255.255.240
access-list acl-split permit ip 192.168.103.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl-split permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_dmw permit ip 172.16.0.0 255.255.255.0 host 172.16.0.28
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.100.19
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.186 255.255.255.248
ip address inside 192.168.100.20 255.255.255.0
ip address dmz 172.16.0.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.103.1-192.168.103.10
pdm location 192.168.100.65 255.255.255.255 inside
pdm location 192.168.100.12 255.255.255.255 inside
pdm location 192.168.100.19 255.255.255.255 inside
pdm location 192.168.100.21 255.255.255.255 inside
pdm location 192.168.100.66 255.255.255.255 inside
pdm location 192.168.100.127 255.255.255.255 inside
pdm location 172.16.0.2 255.255.255.255 dmz
pdm location x.x.x.231 255.255.255.255 outside
pdm location x.x.x.231 255.255.255.255 outside
pdm location 192.168.96.0 255.255.255.0 inside
pdm location 192.168.101.0 255.255.255.0 inside
pdm location 192.168.100.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 172.16.0.30
global (dmz) 2 172.16.0.31
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (inside) 2 192.168.101.0 255.255.255.0 0 0
static (inside,dmz) 172.16.0.12 192.168.100.12 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.21 192.168.100.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.11 192.168.100.11 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.16 192.168.100.16 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.28 192.168.100.28 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.187 172.16.0.2 netmask 255.255.255.255 0 0
access-group from_internet in interface outside
access-group from_lan in interface inside
access-group from_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 46.35.18.185 1
route inside 172.16.10.0 255.255.255.252 192.168.100.7 1
route inside 192.168.96.0 255.255.255.0 192.168.100.5 1
route inside 192.168.101.0 255.255.255.0 192.168.100.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:01:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 172.16.0.2 source dmz prefer
http server enable
http 212.119.11.35 255.255.255.255 outside
http 192.168.100.21 255.255.255.255 inside
http 192.168.100.65 255.255.255.255 inside
http 192.168.100.66 255.255.255.255 inside
http 192.168.100.18 255.255.255.255 inside
http 192.168.100.28 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set jct esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map xxxxxx 20 ipsec-isakmp dynamic outside_dyn_map
crypto map xxxxxx client authentication LOCAL
crypto map xxxxx  interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp enable outside
isakmp key ******** address x.x.x.167 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
vpngroup password idle-time 1800
vpngroup xxx address-pool ippool
vpngroup xxx dns-server 192.168.100.28
vpngroup xxx wins-server 192.168.100.28
vpngroup xxx default-domain xxxxx.fr
vpngroup xxx split-tunnel acl-split
vpngroup xxx idle-time 1800
vpngroup xxx password ********
telnet x.x.x.145 255.255.255.255 outside
telnet 192.168.100.18 255.255.255.255 inside
telnet 192.168.100.24 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.25 255.255.255.255 outside
ssh x.x.x.104 255.255.255.255 outside
ssh x.x.x.3 255.255.255.255 outside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username xxxx password xxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:ec2cb2db06x353e95fc15c0c1f
: end

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password enO4Oszlec9w1AmAwd encrypted
passwd enOzsszc9w1AmzAwd encrypted
hostname xxxxxx
domain-name write
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network lan_to_out
  network-object host 192.168.100.98
  network-object host 192.168.100.134
  network-object host 192.168.100.136
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq ftp
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 host 172.16.0.2
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 8080
access-list from_lan permit udp host 192.168.100.21 any
access-list from_lan permit tcp host 192.168.100.21 any
access-list from_lan permit tcp host 192.168.100.12 host 172.16.0.2 eq smtp
access-list from_lan permit icmp host 192.168.100.18 any
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit tcp 192.168.101.0 255.255.255.0 host 172.16.0.2 eq ftp
access-list from_lan permit icmp 192.168.101.0 255.255.255.0 host 172.16.0.2
access-list from_lan permit tcp 192.168.101.0 255.255.255.0 host 172.16.0.2 eq 8080
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.2 eq 5900
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.2 eq netbios-ssn
access-list from_lan permit udp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq ntp
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq www
access-list from_lan permit udp host 192.168.100.22 any eq domain
access-list from_lan permit tcp host 192.168.100.18 any
access-list from_lan permit tcp host 192.168.100.18 host 172.16.0.1 eq 11813
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 any eq ftp
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 8082
access-list from_lan permit tcp host 192.168.100.250 any eq https
access-list from_lan permit tcp host 192.168.100.250 any eq 7443
access-list from_lan permit tcp host 192.168.100.250 any eq 7444
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host 172.16.0.2 eq 3389
access-list from_lan permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.80 eq ftp
access-list from_lan permit tcp object-group lan_to_out any eq ftp
access-list from_lan permit udp 192.168.100.0 255.255.255.0 any eq ntp
access-list from_lan permit tcp host 192.168.100.11 172.16.0.0 255.255.255.0 eq smtp
access-list from_lan permit tcp host 192.168.100.11 172.16.0.0 255.255.255.0 eq imap4
access-list from_lan permit tcp host 192.168.100.11 any eq domain
access-list from_lan permit udp host 192.168.100.11 any eq domain
access-list from_lan permit tcp host 192.168.100.11 any eq www
access-list from_lan permit tcp host 192.168.100.11 any eq https
access-list from_lan permit icmp 192.168.100.0 255.255.255.0 any
access-list from_lan permit tcp host 192.168.100.16 any eq www
access-list from_lan permit tcp host 192.168.100.16 any eq https
access-list from_lan permit tcp host 192.168.100.28 any eq www
access-list from_lan permit tcp host 192.168.100.28 any eq https
access-list from_lan permit ip host 192.168.100.16 172.16.0.0 255.255.255.0
access-list from_lan permit ip host 192.168.100.28 172.16.0.0 255.255.255.0
access-list from_lan permit tcp object-group lan_to_out any eq telnet
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq https
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.85 eq www
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq www
access-list from_lan permit tcp 192.168.100.0 255.255.255.0 host x.x.x.26 eq telnet
access-list from_dmz permit tcp host 172.16.0.2 any eq smtp
access-list from_dmz permit tcp host 172.16.0.2 any eq www
access-list from_dmz permit tcp host 172.16.0.2 any eq ftp
access-list from_dmz permit tcp host 172.16.0.2 any eq https
access-list from_dmz permit tcp host 172.16.0.2 any eq domain
access-list from_dmz permit udp host 172.16.0.2 any eq domain
access-list from_dmz permit udp host 172.16.0.2 any eq ntp
access-list from_dmz permit tcp host 172.16.0.2 any eq 8082
access-list from_dmz permit tcp 172.16.0.0 255.255.255.0 host 192.168.100.11 eq smtp
access-list from_dmz permit tcp 172.16.0.0 255.255.255.0 host 192.168.100.11 eq smtp
access-list from_dmz permit icmp host 172.16.0.2 host 172.16.0.28
access-list from_dmz permit ip 172.16.0.0 255.255.255.0 host 172.16.0.16
access-list from_dmz permit ip 172.16.0.0 255.255.255.0 host 172.16.0.28
access-list from_dmz permit icmp host 172.16.0.2 any
access-list from_internet permit tcp any host x.x.x.187 eq smtp
access-list from_internet permit tcp any host x.x.x.187 eq imap4
access-list from_internet permit icmp any host x.x.x.187
access-list from_internet permit icmp any host x.x.x.186
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.103.0 255.255.255.240
access-list acl-split permit ip 192.168.103.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl-split permit ip 192.168.100.0 255.255.255.0 192.168.103.0 255.255.255.0
access-list from_dmw permit ip 172.16.0.0 255.255.255.0 host 172.16.0.28
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.100.19
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.186 255.255.255.248
ip address inside 192.168.100.20 255.255.255.0
ip address dmz 172.16.0.20 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.103.1-192.168.103.10
pdm location 192.168.100.65 255.255.255.255 inside
pdm location 192.168.100.12 255.255.255.255 inside
pdm location 192.168.100.19 255.255.255.255 inside
pdm location 192.168.100.21 255.255.255.255 inside
pdm location 192.168.100.66 255.255.255.255 inside
pdm location 192.168.100.127 255.255.255.255 inside
pdm location 172.16.0.2 255.255.255.255 dmz
pdm location x.x.x.231 255.255.255.255 outside
pdm location x.x.x.231 255.255.255.255 outside
pdm location 192.168.96.0 255.255.255.0 inside
pdm location 192.168.101.0 255.255.255.0 inside
pdm location 192.168.100.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 172.16.0.30
global (dmz) 2 172.16.0.31
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.100.0 255.255.255.0 0 0
nat (inside) 2 192.168.101.0 255.255.255.0 0 0
static (inside,dmz) 172.16.0.12 192.168.100.12 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.21 192.168.100.21 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.11 192.168.100.11 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.16 192.168.100.16 netmask 255.255.255.255 0 0
static (inside,dmz) 172.16.0.28 192.168.100.28 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.187 172.16.0.2 netmask 255.255.255.255 0 0
access-group from_internet in interface outside
access-group from_lan in interface inside
access-group from_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 46.35.18.185 1
route inside 172.16.10.0 255.255.255.252 192.168.100.7 1
route inside 192.168.96.0 255.255.255.0 192.168.100.5 1
route inside 192.168.101.0 255.255.255.0 192.168.100.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:01:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
ntp server 172.16.0.2 source dmz prefer
http server enable
http 212.119.11.35 255.255.255.255 outside
http 192.168.100.21 255.255.255.255 inside
http 192.168.100.65 255.255.255.255 inside
http 192.168.100.66 255.255.255.255 inside
http 192.168.100.18 255.255.255.255 inside
http 192.168.100.28 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set jct esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map xxxxxx 20 ipsec-isakmp dynamic outside_dyn_map
crypto map xxxxxx client authentication LOCAL
crypto map xxxxx  interface outside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
isakmp enable outside
isakmp key ******** address x.x.x.167 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
vpngroup password idle-time 1800
vpngroup xxx address-pool ippool
vpngroup xxx dns-server 192.168.100.28
vpngroup xxx wins-server 192.168.100.28
vpngroup xxx default-domain xxxxx.fr
vpngroup xxx split-tunnel acl-split
vpngroup xxx idle-time 1800
vpngroup xxx password ********
telnet x.x.x.145 255.255.255.255 outside
telnet 192.168.100.18 255.255.255.255 inside
telnet 192.168.100.24 255.255.255.255 inside
telnet timeout 5
ssh x.x.x.25 255.255.255.255 outside
ssh x.x.x.104 255.255.255.255 outside
ssh x.x.x.3 255.255.255.255 outside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username xxxx password xxxxxxxxx encrypted privilege 15
terminal width 80
Cryptochecksum:ec2cb2db06x353e95fc15c0c1f
: end

Open in new window



Isa Rules


Thanks for your help !!
0
Comment
Question by:wahrani16
  • 6
  • 4
10 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 38421995
In the ISA Firewall Manager, click on Firewall Policy in the left pane and look for a rule in the right pane that allows SMTP inbound.

Edit the rule and on the Protocols tab add IMAP to the list of allowed protocols.  

You may also want to update the rule description to read Inbound Mail connections or something similar.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 38422002
Just realized you had the image of your ISA rules there.  You can also create another rule called IMAP inbound that is the exact same as SMTP Inbound but uses IMAP in the protocol tab instead of SMTP.
0
 

Author Comment

by:wahrani16
ID: 38422717
Hi ,
I have copied the inbound smtp rule   an I have change just the protocol but still not responding ...
from the proxy
telnet 172.16.0.2     25  ok                 172.16.0.2 is the proxy ip address with one ethernet card
telnet 172.16.0.2.   143 nok
telnet 172.16.0.11   25 ok                  172.16.0.11 is the ip of exchange eth1
telnet 172.16.0.11   143 nok              


from the lan        
telnet from the lan to 192.168.100.11 25 ok
telnet from the lan to 192.168.100.11 143 ok
user on the local network can get their email (imap) and I can telnet 192.168.100.11 from the lan.

Thanks,

...
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
LVL 22

Expert Comment

by:Matt V
ID: 38423774
You may have to allow outbound IMAP similar to rule #6 and #7
0
 

Author Comment

by:wahrani16
ID: 38425911
0
 

Author Comment

by:wahrani16
ID: 38425922
HI mattvmotas, I have addes the 2 rules for the imap but it's the same.

Are you sure the rules to modify are 6 and 7 and not the rule 5 ? I have also test with copy and paste  of the rule 5 and change the protocol to imap but same problem cannot telnet to port 143

Thanks,
0
 

Author Comment

by:wahrani16
ID: 38426536
If the rule works, should I be able to telnet to proxyserver on port 143 ???
Actually I can't ! but telnet to proxyserver to port 25 works !!

from the proxy (172.16.0.2) telnet to 172.16.0.11 port 25 is ok
from the proxy (172.16.0.2) telnet to 172.16.0.11 port 143 is nok





Thanks !!
0
 
LVL 22

Expert Comment

by:Matt V
ID: 38428209
Check the ISA server logs to see what traffic is being allowed and blocked, maybe that will help you figure out which rule is wrong.
0
 

Accepted Solution

by:
wahrani16 earned 0 total points
ID: 38861082
I have change the proxy configuration and remove isa server.
Thanks for your help.
0
 

Author Closing Comment

by:wahrani16
ID: 38875477
I have removed isa server.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question