06-19-2015 02:44 AM - edited 03-05-2019 01:41 AM
Hello fellow cisco users :)
I am having trouble getting port 587 open on my 887VA router. I am doing something with this router that is supposedly not quite what its intended purpose is, but I am running a WAN via an Ethernet port rather than ADAL or VDSL. as per plenty of googleing I am doing this buy setting up a vlan to do the PPPOE authentication and use the dialer interface to actually establish the connection. I have don't the 'trickery' in CLI and the rest of the config has been done in the new CCP Express 3.1 GUI. this is mainly due to the fact I don't know how to setup the firewall properly in CLI. I am getting better at CLI though which I am proud of as I was forced to to get this router working.
So in the Security page of CCPe I have setup the zones. Dialer1 is in the WAN zone and Vlan1 is in the LAN Zone.
Then on the Policy page I have setup all the applications I need in the LAN-WAN direction...
dns, icmp, ntp, snmp, time, http, https, smtp, imap, secure-imap, pop3, secure-pop3, submission (587), and more...
The key here that I understand is that if you have these 'applications' listed in your outbound direction and marked as allow, this traffic is allowed to pass out of the network?!?! yes???
Source and Destination networks are set to 'Any', Source and Destination ports are set to 'Any'.
I've even tried creating a policy that open just port 587 and is set to use 'Any' Network and 'Any' Application. Still no good...
Below is my config. Can anyone help please?
Building configuration...
Current configuration : 12924 bytes
!
! Last configuration change at 19:36:52 GMT Fri Jun 19 2015 by jaykay
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 10 0
!
crypto pki trustpoint TP-self-signed-49562814
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-49562814
revocation-check none
rsakeypair TP-self-signed-49562814
!
!
crypto pki certificate chain TP-self-signed-49562814
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34393536 32383134 301E170D 31353036 31323132 34353536
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343935 36323831
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009B80
06D0CFAC 68A64095 51342877 EBA2041C BC634BD7 3E754101 C292C97D 3C3F76C1
9F8ED2E4 73478F16 3DA835DA 51929229 33209159 D84096A7 A5A9E97F BDE21454
D44241C3 F7DE621E EC00F4DB 79C4FBA1 C5E67EE4 09BFCCBD C3151EBA 455838A1
F9CD51B5 74ED9066 5FD4BB5D 5B6FA0A0 F6636F19 3C71623E BBDE43C3 9F9B0203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14D97F11 952F031B 283CC2DF 7DEEECA5 B899BFFF 92301D06 03551D0E
04160414 D97F1195 2F031B28 3CC2DF7D EEECA5B8 99BFFF92 300D0609 2A864886
F70D0101 05050003 81810088 9F7AF9C4 4EE2BA1A AA5DC07B 2C630ADE C9246E68
B3C12A40 DF06E433 5B415763 29A836A1 4412F76F 97EDD219 BC88C524 74E4243D
7E4A7A5F F0C53BCD 9A234516 9597548E 462FB01D E4DD8480 3D049B86 D65CEA36
065C8C4D 8FA9B35B D8F2F03C 3CEA5645 77C1D637 A1C738D4 C70931DB FA173D60
FA3FCB7D 765F41D2 9767C7
quit
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.10.0 192.168.10.20
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool ccp-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.2 203.12.160.35 203.12.160.36
lease 0 2
!
ip dhcp pool guest-pool
import all
network 10.0.0.0 255.255.255.0
dns-server 203.12.160.35 203.12.160.36
default-router 10.0.0.1
!
!
!
ip domain name innovative.local
ip name-server 192.168.10.2
ip name-server 203.12.160.35
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-K9 sn FGL183224BR
!
!
object-group network 587_dst_net
any
!
object-group network 587_src_net
any
!
object-group service 587_svc
tcp source eq 587 eq 587
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network aa_dst_net
host 192.168.10.2
!
object-group network aa_src_net
any
!
object-group service aa_svc
ip
!
object-group network apple_dst_net
any
!
object-group network apple_src_net
any
!
object-group service apple_svc
ip
!
object-group network business_dst_net
any
!
object-group network business_src_net
any
!
object-group service business_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.10.0 255.255.255.0
!
object-group network lync_dst_net
any
!
object-group network lync_src_net
any
!
object-group service lync_svc
ip
!
object-group network mail_dst_net
any
!
object-group network mail_src_net
any
!
object-group service mail_svc
ip
!
object-group network network_dst_net
any
!
object-group network network_src_net
any
!
object-group service network_svc
ip
!
object-group network others_dst_net
any
!
object-group network others_src_net
any
!
object-group service others_svc
ip
!
object-group network vpn_remote_subnets
any
!
object-group network web_dst_net
any
!
object-group network web_src_net
any
!
object-group service web_svc
ip
!
username xxxxx privilege 15 secret 5 xxxxx
!
!
!
!
!
controller VDSL 0
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any lync_app
match protocol ms-lync
match protocol ms-lync-audio
match protocol ms-lync-video
class-map type inspect match-any others_app
match protocol https
match protocol imap
match protocol dns
match protocol icmp
match protocol secure-imap
match protocol submission
match protocol snmp
match protocol snmptrap
match protocol smtp
match protocol outlook-web-service
match protocol exchange
match protocol ntp
match protocol time
class-map type inspect match-any mail_app
match protocol smtp
match protocol imap
match protocol secure-imap
match protocol pop3
match protocol secure-pop3
match protocol submission
class-map type inspect match-any business_app
match protocol activesync
match protocol ms-office-365
match protocol ms-office-web-apps
match protocol share-point
class-map type inspect match-all 587
class-map type inspect match-any aa_app
match protocol http
match protocol https
class-map type inspect match-any network_app
match protocol dns
match protocol icmp
match protocol ntp
match protocol snmp
match protocol time
class-map type inspect match-any web_app
match protocol http
match protocol https
class-map type inspect match-any apple_app
match protocol facetime
class-map type inspect match-all aa
description Anywhere Access
match access-group name aa_acl
match class-map aa_app
class-map type inspect match-all business
match access-group name business_acl
match class-map business_app
class-map type inspect match-all mail
match access-group name mail_acl
match class-map mail_app
class-map type inspect match-all others
match access-group name others_acl
match class-map others_app
class-map type inspect match-all lync
match access-group name lync_acl
match class-map lync_app
class-map type inspect match-all apple
match access-group name apple_acl
match class-map apple_app
class-map type inspect match-all web
match access-group name web_acl
match class-map web_app
class-map type inspect match-all network
match access-group name network_acl
match class-map network_app
!
policy-map type inspect LAN-WAN-POLICY
class type inspect 587
inspect
class type inspect network
inspect
class type inspect web
inspect
class type inspect mail
inspect
class type inspect business
inspect
class type inspect lync
inspect
class type inspect apple
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect WAN-LAN-POLICY
class type inspect aa
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Work-LAN
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1452
load-interval 30
!
interface Vlan2
description PrimaryWANDesc_
ip address dhcp
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan3
description Guest-LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description PrimaryWANDesc__Vlan2
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap password 0 151481inn
ppp pap sent-username xxxxx password 0 xxxxx
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.10.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.10.2 80 interface Dialer1 80
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended aa_acl
permit object-group aa_svc object-group aa_src_net object-group aa_dst_net
ip access-list extended apple_acl
permit object-group apple_svc object-group apple_src_net object-group apple_dst_net
ip access-list extended business_acl
permit object-group business_svc object-group business_src_net object-group business_dst_net
ip access-list extended lync_acl
permit object-group lync_svc object-group lync_src_net object-group lync_dst_net
ip access-list extended mail_acl
permit object-group mail_svc object-group mail_src_net object-group mail_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended network_acl
permit object-group network_svc object-group network_src_net object-group network_dst_net
ip access-list extended others_acl
permit object-group others_svc object-group others_src_net object-group others_dst_net
ip access-list extended web_acl
permit object-group web_svc object-group web_src_net object-group web_dst_net
!
dialer-list 1 protocol ip permit
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login authentication local_access
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
06-23-2015 03:26 AM
Hi Jeremy,
I believe your object-group smtps_svc is wrong. Currently, it reads:
object-group service smtps_svc tcp source eq 587 eq 587
However, this forces it to check the source port and expect it to be 587. Clearly, this cannot be the case for TCP clients of the SMTPS service; only servers reside at port 587. It should be instead:
object-group service smtps_svc tcp eq 587
I am not sure if this is the CCP way of creating the configuration - I suppose it is. I have to say that the way the configuration is structured is an exercise in complicating the obvious. The ACL that would describe the SMTPS traffic could have been a single-line issue. Here, it refers to three separate object-groups that themselves are just one-entry long, not even to mention the repetitive object-groups of different names that are equivalent as they contain a single descriptor: "any". I am not sure this helps things.
Best regards,
Peter
06-22-2015 07:24 AM
Jeremy,
Reading configs created by CCP is a punishment in itself... :)
If I could make sense out of your configuration properly, your LAN-to-WAN-bound traffic is inspected by the LAN-WAN-POLICY policy-map. This policy-map refers to a class-map called 587 which, however, is empty and contains no specification on how to recognize the traffic for the port 587. That is most probably why this traffic is not properly recognized.
I suggest the most simple approach that works, and that is creating an ACL that identifies all traffic going to a destination TCP port 587, and referring to that ACL in the class-map, so:
ip access-list extended SMTPS permit tcp any any eq 587 ! class-map type inspect 587 match access-group name SMTPS
Try entering these commands in your CLI in the configure terminal mode. Hopefully, this will do the trick if everything else works for you.
Best regards,
Peter
06-22-2015 03:11 PM
hi peter, thanks for your help...
I have just tidied up the configuration as I noticed a few other anomalies due to the GUI leaving some things behind that should have bee deleted.
this is my new config...please check it and let me know its correct still.
I still cannot get port 587 open to send emails from certain software (Server 2012 R2 Essentials Dashboard in this instance)
Building configuration...
Current configuration : 12371 bytes
!
! Last configuration change at 07:58:39 GMT Tue Jun 23 2015 by jaykay
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 10 0
!
crypto pki trustpoint TP-self-signed-49562814
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-49562814
revocation-check none
rsakeypair TP-self-signed-49562814
!
!
crypto pki certificate chain TP-self-signed-49562814
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34393536 32383134 301E170D 31353036 31323132 34353536
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343935 36323831
3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009B80
06D0CFAC 68A64095 51342877 EBA2041C BC634BD7 3E754101 C292C97D 3C3F76C1
9F8ED2E4 73478F16 3DA835DA 51929229 33209159 D84096A7 A5A9E97F BDE21454
D44241C3 F7DE621E EC00F4DB 79C4FBA1 C5E67EE4 09BFCCBD C3151EBA 455838A1
F9CD51B5 74ED9066 5FD4BB5D 5B6FA0A0 F6636F19 3C71623E BBDE43C3 9F9B0203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14D97F11 952F031B 283CC2DF 7DEEECA5 B899BFFF 92301D06 03551D0E
04160414 D97F1195 2F031B28 3CC2DF7D EEECA5B8 99BFFF92 300D0609 2A864886
F70D0101 05050003 81810088 9F7AF9C4 4EE2BA1A AA5DC07B 2C630ADE C9246E68
B3C12A40 DF06E433 5B415763 29A836A1 4412F76F 97EDD219 BC88C524 74E4243D
7E4A7A5F F0C53BCD 9A234516 9597548E 462FB01D E4DD8480 3D049B86 D65CEA36
065C8C4D 8FA9B35B D8F2F03C 3CEA5645 77C1D637 A1C738D4 C70931DB FA173D60
FA3FCB7D 765F41D2 9767C7
quit
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.10.0 192.168.10.20
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool ccp-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.2 203.12.160.35 203.12.160.36
!
ip dhcp pool guest-pool
import all
network 10.0.0.0 255.255.255.0
dns-server 203.12.160.35 203.12.160.36
default-router 10.0.0.1
!
!
!
ip domain name innovative.local
ip name-server 192.168.10.2
ip name-server 203.12.160.35
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-K9 sn FGL183224BR
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network aa_dst_net
host 192.168.10.2
!
object-group network aa_src_net
any
!
object-group service aa_svc
ip
!
object-group network apple_dst_net
any
!
object-group network apple_src_net
any
!
object-group service apple_svc
ip
!
object-group network business_dst_net
any
!
object-group network business_src_net
any
!
object-group service business_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.10.0 255.255.255.0
!
object-group network lync_dst_net
any
!
object-group network lync_src_net
any
!
object-group service lync_svc
ip
!
object-group network mail_dst_net
any
!
object-group network mail_src_net
any
!
object-group service mail_svc
ip
!
object-group network network_dst_net
any
!
object-group network network_src_net
any
!
object-group service network_svc
ip
!
object-group network smtps_dst_net
any
!
object-group network smtps_src_net
any
!
object-group service smtps_svc
tcp source eq 587 eq 587
!
object-group network vpn_remote_subnets
any
!
object-group network web_dst_net
any
!
object-group network web_src_net
any
!
object-group service web_svc
ip
!
username xxxxx privilege 15 secret 5 xxxxx
!
!
!
!
!
controller VDSL 0
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any lync_app
match protocol ms-lync
match protocol ms-lync-audio
match protocol ms-lync-video
class-map type inspect match-any mail_app
match protocol smtp
match protocol imap
match protocol secure-imap
match protocol pop3
match protocol secure-pop3
match protocol submission
class-map type inspect match-any business_app
match protocol activesync
match protocol ms-office-365
match protocol ms-office-web-apps
match protocol share-point
class-map type inspect match-any aa_app
match protocol http
match protocol https
class-map type inspect match-any network_app
match protocol dns
match protocol icmp
match protocol ntp
match protocol snmp
match protocol time
class-map type inspect match-any web_app
match protocol http
match protocol https
class-map type inspect match-any apple_app
match protocol facetime
class-map type inspect match-all smtps
match access-group name smtps_acl
class-map type inspect match-all aa
description Anywhere Access
match access-group name aa_acl
match class-map aa_app
class-map type inspect match-all business
match access-group name business_acl
match class-map business_app
class-map type inspect match-all mail
match access-group name mail_acl
match class-map mail_app
class-map type inspect match-all lync
match access-group name lync_acl
match class-map lync_app
class-map type inspect match-all apple
match access-group name apple_acl
match class-map apple_app
class-map type inspect match-all web
match access-group name web_acl
match class-map web_app
class-map type inspect match-all network
match access-group name network_acl
match class-map network_app
!
policy-map type inspect LAN-WAN-POLICY
class type inspect smtps
inspect
class type inspect network
inspect
class type inspect web
inspect
class type inspect mail
inspect
class type inspect business
inspect
class type inspect lync
inspect
class type inspect apple
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
policy-map type inspect WAN-LAN-POLICY
class type inspect aa
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description Work-LAN
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1452
load-interval 30
!
interface Vlan2
description PrimaryWANDesc_
ip address dhcp
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan3
description Guest-LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description PrimaryWANDesc__Vlan2
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap password 0 151481inn
ppp pap sent-username xxxxx password 0 xxxxx
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.10.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.10.2 80 interface Dialer1 80
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended aa_acl
permit object-group aa_svc object-group aa_src_net object-group aa_dst_net
ip access-list extended apple_acl
permit object-group apple_svc object-group apple_src_net object-group apple_dst_net
ip access-list extended business_acl
permit object-group business_svc object-group business_src_net object-group business_dst_net
ip access-list extended lync_acl
permit object-group lync_svc object-group lync_src_net object-group lync_dst_net
ip access-list extended mail_acl
permit object-group mail_svc object-group mail_src_net object-group mail_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended network_acl
permit object-group network_svc object-group network_src_net object-group network_dst_net
ip access-list extended smtps_acl
permit object-group smtps_svc object-group smtps_src_net object-group smtps_dst_net
ip access-list extended web_acl
permit object-group web_svc object-group web_src_net object-group web_dst_net
!
dialer-list 1 protocol ip permit
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login authentication local_access
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
06-23-2015 03:26 AM
Hi Jeremy,
I believe your object-group smtps_svc is wrong. Currently, it reads:
object-group service smtps_svc tcp source eq 587 eq 587
However, this forces it to check the source port and expect it to be 587. Clearly, this cannot be the case for TCP clients of the SMTPS service; only servers reside at port 587. It should be instead:
object-group service smtps_svc tcp eq 587
I am not sure if this is the CCP way of creating the configuration - I suppose it is. I have to say that the way the configuration is structured is an exercise in complicating the obvious. The ACL that would describe the SMTPS traffic could have been a single-line issue. Here, it refers to three separate object-groups that themselves are just one-entry long, not even to mention the repetitive object-groups of different names that are equivalent as they contain a single descriptor: "any". I am not sure this helps things.
Best regards,
Peter
06-23-2015 03:46 AM
thankyou so much!
this has worked...
ok so tell me this...
the firewall applications 'submission' is meant to be for Secure SMTP. Why would this have not worked in my configuration?
I shouldn't have even needed the entry for SMTPS...correct?
06-23-2015 11:42 AM
Hi Jeremy,
I am glad this worked.
the firewall applications 'submission' is meant to be for Secure SMTP. Why would this have not worked in my configuration?
I honestly do not know. Many of these protocols recognized by the IOS engine are hardcoded into IOS and may have their limitations. For some other protocols, additional protocol definition files need to be installed into the router's IOS (so-called PDLM files).
I shouldn't have even needed the entry for SMTPS...correct?
If the match protocol submission worked as expected we would truly not need the entry for SMTPS. Nonetheless, there is no need to get exceedingly worried about this - specifying the protocol by ports is more efficient than letting the router ponder over its type using some complex internal classification machine.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide