01-16-2011 05:50 AM - edited 03-04-2019 11:06 AM
Hi all,
I have inherited a Cisco 877 router and have never worked on one before so am still very green with the Cisco IOS. I need to open ports 143 and 993 for IMAP4 so that users can sync their Smart Phones (Android, iPhone, iPads) with the Exchange Server 2003. With every other router/firewall I have worked on (Juniper, Watchguard, Netcomm, Netgear etc) all I have needed to do was to open these ports and direct them to the Exchange server.
Below is the current config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname border-xxxxx-router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
!
aaa new-model
!
!
aaa authentication login AUTH_MAIN local
aaa authentication login AUTH_VPN group radius local
aaa authorization exec default none
aaa authorization network AUTHO_VPN local
!
aaa session-id common
clock timezone AEST 10
!
!
dot11 syslog
ip cef
!
!
!
!
ip domain name xxxxx.com.au
ip inspect name WAN_OUT http
ip inspect name WAN_OUT https
ip inspect name WAN_OUT smtp
ip inspect name WAN_OUT ssh
ip inspect name WAN_OUT tcp
ip inspect name WAN_OUT udp
ip inspect name WAN_OUT ftp
ip inspect name WAN_OUT ftps
ip inspect name WAN_OUT dns
ip inspect name WAN_OUT dnsix
ip inspect name WAN_OUT imap
ip inspect name WAN_OUT imap3
ip inspect name WAN_OUT imaps
ip inspect name WAN_OUT ipass
ip inspect name WAN_OUT ldap
ip inspect name WAN_OUT ldap-admin
ip inspect name WAN_OUT ldaps
ip inspect name WAN_OUT isakmp
ip inspect name WAN_OUT kerberos
ip inspect name WAN_OUT pop3
ip inspect name WAN_OUT mysql
ip inspect name WAN_OUT ntp
ip inspect name WAN_OUT snmp
ip inspect name WAN_OUT telnet
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxxxx
dns 192.168.0.1 4.2.2.2
pool ippool
acl 101
max-users 25
max-logins 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list AUTH_VPN
crypto map clientmap isakmp authorization list AUTHO_VPN
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
Archive
log config
hidekeys
!
!
ip tcp synwait-time 300
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode itu-dmt
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
switchport access vlan 100
!
interface FastEthernet2
switchport access vlan 100
!
interface FastEthernet3
switchport access vlan 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.0.254 255.255.255.0
ip access-group LAN_IN in
ip nat inside
no ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group WAN_IN in
ip access-group WAN_OUT out
ip mtu 1452
ip nat outside
ip inspect WAN_OUT out
no ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer watch-group 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxx@xxxx.xxx.xx
ppp chap password 7 xxxxxxxxxxxxxxxx
ppp pap sent-username xxxx@xxxx.xxx.xx password 7 xxxxxxxxxxxxxxxx
crypto map clientmap
!
ip local pool ippool 192.168.100.50 192.168.100.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat source list NAT interface Dialer1 overload
ip nat inside source static tcp 192.168.0.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.1 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.1 993 interface Dialer1 993 <--- added
ip nat inside source static tcp 192.168.0.1 143 interface Dialer1 143 <--- added
ip nat inside source static tcp 192.168.0.1 47 interface Dialer1 47 <--- added
ip nat inside source route-map NAT interface Dialer1 overload
!
ip access-list extended LAN_IN
permit tcp host 192.168.0.1 any eq smtp log
deny tcp any any eq smtp log
remark Deny spoofing
permit ip 192.168.0.0 0.0.0.255 any log
deny ip any any log
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
deny ip any any
ip access-list extended WAN_IN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre any any log
permit ahp any any log
permit esp any any log
remark Deny Spoofing
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 255.255.255.255 any log
permit tcp any any eq smtp log
permit tcp any any eq pop3 log
permit tcp any any eq 443 log
deny icmp any any echo log
deny icmp any any echo-reply log
deny ip any any log
!
ip radius source-interface Vlan100
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
snmp-server trap-source Dialer1
!
!
!
route-map NAT permit 10
match ip address NAT
!
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7 01270532484A3733681F745F5051580B
!
control-plane
!
line con 0
login authentication AUTH_MAIN
no modem enable
line aux 0
login authentication AUTH_MAIN
line vty 0 4
login authentication AUTH_MAIN
transport input ssh
!
scheduler max-task-time 5000
end
I have added the following lines:
ip nat inside source static tcp 192.168.0.1 993 interface Dialer1 993
ip nat inside source static tcp 192.168.0.1 143 interface Dialer1 143
ip nat inside source static tcp 192.168.0.1 47 interface Dialer1 47
Where 192.168.0.1 is the Exchange Server, I need to add corresponding access-lists. Currently the access-list looks like this:
Extended IP access list 101
10 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
Extended IP access list LAN_IN
10 permit tcp host 192.168.0.1 any eq smtp log (120076 matches)
20 deny tcp any any eq smtp log
30 permit ip 192.168.0.0 0.0.0.255 any log (2549755 matches)
40 deny ip any any log (84 matches)
Extended IP access list NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 (857310 matches)
20 permit ip 192.168.0.0 0.0.0.255 any (66264 matches)
30 deny ip any any (27101 matches)
Extended IP access list WAN_IN
10 permit udp any any eq isakmp (1323 matches)
20 permit udp any any eq non500-isakmp (595312 matches)
30 permit gre any any log
40 permit ahp any any log
50 permit esp any any log (293889 matches)
60 deny ip 0.0.0.0 0.255.255.255 any log
70 deny ip 127.0.0.0 0.255.255.255 any log
80 deny ip 10.0.0.0 0.255.255.255 any log
90 deny ip 172.16.0.0 0.15.255.255 any log
100 deny ip 192.168.0.0 0.0.255.255 any log
110 deny ip 224.0.0.0 15.255.255.255 any log
120 deny ip host 255.255.255.255 any log
130 permit tcp any any eq smtp log (165780 matches)
140 permit tcp any any eq pop3 log (8178 matches)
150 permit tcp any any eq 443 log (19023 matches)
170 deny icmp any any echo log (217 matches)
180 deny icmp any any echo-reply log (25 matches)
190 deny ip any any log (5801 matches)
I want to add an entry at:
WAN_IN
162 permit tcp any any eq 143 log
164 permit tcp any any eq 993 log
166 permit tcp any any eq 47 log
But after a fair amount of reading I am still unsure what the correct syntax is.
I am hopefull that once I have added these entries to the WAN_IN access-list group then the Cisco 877 will allow IMAP4 traffic to and from the Exchange Server 2003.
Any help would be greatly appreciated.
Thanks,
Lance
Solved! Go to Solution.
01-16-2011 06:29 AM
hi
this is the conf
Extended IP access list WAN_IN
55 permit tcp any any eq143 log
57 permit tcp any any eq 993 log
58 permit tcp any ant eq 47 log
01-17-2011 05:19 AM
Lance
If you have entered these lines -
162 permit tcp any any eq 143 log
164 permit tcp any any eq 993 log
166 permit tcp any any eq 47 log
then to remove them without rebooting the router simply do -
ip access-list extended WAN
no 162
no 164
no 166
Jon
01-16-2011 06:29 AM
hi
this is the conf
Extended IP access list WAN_IN
55 permit tcp any any eq143 log
57 permit tcp any any eq 993 log
58 permit tcp any ant eq 47 log
01-17-2011 03:40 AM
Thanks Moshe,
Ill give it a go and hopfully wont break the router. Would this syntax work as well:
ip access-list extended WAN_IN
55 permit tcp any any eq 143 log
57 permit tcp any any eq 993 log
58 permit tcp any ant eq 47 log
also is there a quick way of clearing the changes to the running config without rebooting the router (assuming I havent written them to memory)?
Regards,
Lance
01-17-2011 03:45 AM
Hi,
This is the good syntax in fact. As soon as the ACEs are entered they take effect so you don't need to clear anything for it to work.
Regards.
Alain.
01-17-2011 04:22 AM
yes this is a good conf and Alain is right you don't need to reset the router
01-17-2011 04:44 AM
great thanks,
i know that as soon as i type that syntax the new access-lists become active and form part of the running config. If i dont type the "write" command but leave it as it is, as I understand it, if the router is rebooted I loose these new entries?
This is good to know in-case I mess up the router when I add these new entries.
What I wanted to know was is there another way to clear the newly added ACL's without rebooting the router?
01-17-2011 05:19 AM
Lance
If you have entered these lines -
162 permit tcp any any eq 143 log
164 permit tcp any any eq 993 log
166 permit tcp any any eq 47 log
then to remove them without rebooting the router simply do -
ip access-list extended WAN
no 162
no 164
no 166
Jon
01-17-2011 05:44 AM
thanks Jon that is exactly what I wanted to know.
Thanks to Moshe and Alain too for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide