Hi all,
I have inherited a Cisco 877 router and have never worked on one before so am still very green with the Cisco IOS. I need to open ports 143 and 993 for IMAP4 so that users can sync their Smart Phones (Android, iPhone, iPads) with the Exchange Server 2003. With every other router/firewall I have worked on (Juniper, Watchguard, Netcomm, Netgear etc) all I have needed to do was to open these ports and direct them to the Exchange server.
Below is the current config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname border-xxxxx-router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
!
aaa new-model
!
!
aaa authentication login AUTH_MAIN local
aaa authentication login AUTH_VPN group radius local
aaa authorization exec default none
aaa authorization network AUTHO_VPN local
!
aaa session-id common
clock timezone AEST 10
!
!
dot11 syslog
ip cef
!
!
!
!
ip domain name xxxxx.com.au
ip inspect name WAN_OUT http
ip inspect name WAN_OUT https
ip inspect name WAN_OUT smtp
ip inspect name WAN_OUT ssh
ip inspect name WAN_OUT tcp
ip inspect name WAN_OUT udp
ip inspect name WAN_OUT ftp
ip inspect name WAN_OUT ftps
ip inspect name WAN_OUT dns
ip inspect name WAN_OUT dnsix
ip inspect name WAN_OUT imap
ip inspect name WAN_OUT imap3
ip inspect name WAN_OUT imaps
ip inspect name WAN_OUT ipass
ip inspect name WAN_OUT ldap
ip inspect name WAN_OUT ldap-admin
ip inspect name WAN_OUT ldaps
ip inspect name WAN_OUT isakmp
ip inspect name WAN_OUT kerberos
ip inspect name WAN_OUT pop3
ip inspect name WAN_OUT mysql
ip inspect name WAN_OUT ntp
ip inspect name WAN_OUT snmp
ip inspect name WAN_OUT telnet
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxxxx
dns 192.168.0.1 4.2.2.2
pool ippool
acl 101
max-users 25
max-logins 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list AUTH_VPN
crypto map clientmap isakmp authorization list AUTHO_VPN
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
Archive
log config
hidekeys
!
!
ip tcp synwait-time 300
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
switchport access vlan 100
!
interface FastEthernet2
switchport access vlan 100
!
interface FastEthernet3
switchport access vlan 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.0.254 255.255.255.0
ip access-group LAN_IN in
ip nat inside
no ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group WAN_IN in
ip access-group WAN_OUT out
ip mtu 1452
ip nat outside
ip inspect WAN_OUT out
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer watch-group 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxx@xxxx.xxx.xx
ppp chap password 7 xxxxxxxxxxxxxxxx
ppp pap sent-username xxxx@xxxx.xxx.xx password 7 xxxxxxxxxxxxxxxx
crypto map clientmap
!
ip local pool ippool 192.168.100.50 192.168.100.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat source list NAT interface Dialer1 overload
ip nat inside source static tcp 192.168.0.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.1 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.1 993 interface Dialer1 993 <--- added
ip nat inside source static tcp 192.168.0.1 143 interface Dialer1 143 <--- added
ip nat inside source static tcp 192.168.0.1 47 interface Dialer1 47 <--- added
ip nat inside source route-map NAT interface Dialer1 overload
!
ip access-list extended LAN_IN
permit tcp host 192.168.0.1 any eq smtp log
deny tcp any any eq smtp log
remark Deny spoofing
permit ip 192.168.0.0 0.0.0.255 any log
deny ip any any log
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip any any
ip access-list extended WAN_IN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre any any log
permit ahp any any log
permit esp any any log
remark Deny Spoofing
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 255.255.255.255 any log
permit tcp any any eq smtp log
permit tcp any any eq pop3 log
permit tcp any any eq 443 log
deny icmp any any echo log
deny icmp any any echo-reply log
deny ip any any log
!
ip radius source-interface Vlan100
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
snmp-server trap-source Dialer1
!
!
!
route-map NAT permit 10
match ip address NAT
!
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7 01270532484A3733681F745F5051580B
!
control-plane
!
line con 0
login authentication AUTH_MAIN
no modem enable
line aux 0
login authentication AUTH_MAIN
line vty 0 4
login authentication AUTH_MAIN
transport input ssh
!
scheduler max-task-time 5000
end
I have added the following lines:
ip nat inside source static tcp 192.168.0.1 993 interface Dialer1 993
ip nat inside source static tcp 192.168.0.1 143 interface Dialer1 143
ip nat inside source static tcp 192.168.0.1 47 interface Dialer1 47
Where 192.168.0.1 is the Exchange Server, I need to add corresponding access-lists. Currently the access-list looks like this:
Extended IP access list 101
10 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
Extended IP access list LAN_IN
10 permit tcp host 192.168.0.1 any eq smtp log (120076 matches)
20 deny tcp any any eq smtp log
30 permit ip 192.168.0.0 0.0.0.255 any log (2549755 matches)
40 deny ip any any log (84 matches)
Extended IP access list NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 (857310 matches)
20 permit ip 192.168.0.0 0.0.0.255 any (66264 matches)
30 deny ip any any (27101 matches)
Extended IP access list WAN_IN
10 permit udp any any eq isakmp (1323 matches)
20 permit udp any any eq non500-isakmp (595312 matches)
30 permit gre any any log
40 permit ahp any any log
50 permit esp any any log (293889 matches)
60 deny ip 0.0.0.0 0.255.255.255 any log
70 deny ip 127.0.0.0 0.255.255.255 any log
80 deny ip 10.0.0.0 0.255.255.255 any log
90 deny ip 172.16.0.0 0.15.255.255 any log
100 deny ip 192.168.0.0 0.0.255.255 any log
110 deny ip 224.0.0.0 15.255.255.255 any log
120 deny ip host 255.255.255.255 any log
130 permit tcp any any eq smtp log (165780 matches)
140 permit tcp any any eq pop3 log (8178 matches)
150 permit tcp any any eq 443 log (19023 matches)
170 deny icmp any any echo log (217 matches)
180 deny icmp any any echo-reply log (25 matches)
190 deny ip any any log (5801 matches)
I want to add an entry at:
WAN_IN
162 permit tcp any any eq 143 log
164 permit tcp any any eq 993 log
166 permit tcp any any eq 47 log
But after a fair amount of reading I am still unsure what the correct syntax is.
I am hopefull that once I have added these entries to the WAN_IN access-list group then the Cisco 877 will allow IMAP4 traffic to and from the Exchange Server 2003.
Any help would be greatly appreciated.
Thanks,
Lance
