cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
2118
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cant get port 587 open to send email...

Hello fellow cisco users :)

I am having trouble getting port 587 open on my 887VA router. I am doing something with this router that is supposedly not quite what its intended purpose is, but I am running a WAN via an Ethernet port rather than ADAL or VDSL. as per plenty of googleing I am doing this buy setting up a vlan to do the PPPOE authentication and use the dialer interface to actually establish the connection. I have don't the 'trickery' in CLI and the rest of the config has been done in the new CCP Express 3.1 GUI. this is mainly due to the fact I don't know how to setup the firewall properly in CLI. I am getting better at CLI though which I am proud of as I was forced to to get this router working.

So in the Security page of CCPe I have setup the zones. Dialer1 is in the WAN zone and Vlan1 is in the LAN Zone.

Then on the Policy page I have setup all the applications I need in the LAN-WAN direction...

dns, icmp, ntp, snmp, time, http, https, smtp, imap, secure-imap, pop3, secure-pop3, submission (587), and more...

The key here that I understand is that if you have these 'applications' listed in your outbound direction and marked as allow, this traffic is allowed to pass out of the network?!?! yes???

Source and Destination networks are set to 'Any', Source and Destination ports are set to 'Any'.

I've even tried creating a policy that open just port 587 and is set to use 'Any' Network and 'Any' Application. Still no good...

Below is my config. Can anyone help please?

Building configuration...

Current configuration : 12924 bytes
!
! Last configuration change at 19:36:52 GMT Fri Jun 19 2015 by jaykay
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 10 0
!
crypto pki trustpoint TP-self-signed-49562814
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-49562814
 revocation-check none
 rsakeypair TP-self-signed-49562814
!
!
crypto pki certificate chain TP-self-signed-49562814
 certificate self-signed 01
  30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34393536 32383134 301E170D 31353036 31323132 34353536
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343935 36323831
  3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009B80
  06D0CFAC 68A64095 51342877 EBA2041C BC634BD7 3E754101 C292C97D 3C3F76C1
  9F8ED2E4 73478F16 3DA835DA 51929229 33209159 D84096A7 A5A9E97F BDE21454
  D44241C3 F7DE621E EC00F4DB 79C4FBA1 C5E67EE4 09BFCCBD C3151EBA 455838A1
  F9CD51B5 74ED9066 5FD4BB5D 5B6FA0A0 F6636F19 3C71623E BBDE43C3 9F9B0203
  010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
  18301680 14D97F11 952F031B 283CC2DF 7DEEECA5 B899BFFF 92301D06 03551D0E
  04160414 D97F1195 2F031B28 3CC2DF7D EEECA5B8 99BFFF92 300D0609 2A864886
  F70D0101 05050003 81810088 9F7AF9C4 4EE2BA1A AA5DC07B 2C630ADE C9246E68
  B3C12A40 DF06E433 5B415763 29A836A1 4412F76F 97EDD219 BC88C524 74E4243D
  7E4A7A5F F0C53BCD 9A234516 9597548E 462FB01D E4DD8480 3D049B86 D65CEA36
  065C8C4D 8FA9B35B D8F2F03C 3CEA5645 77C1D637 A1C738D4 C70931DB FA173D60
  FA3FCB7D 765F41D2 9767C7
   quit
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.10.0 192.168.10.20
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool ccp-pool
 import all
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.168.10.2 203.12.160.35 203.12.160.36
 lease 0 2
!
ip dhcp pool guest-pool
 import all
 network 10.0.0.0 255.255.255.0
 dns-server 203.12.160.35 203.12.160.36
 default-router 10.0.0.1
!
!
!
ip domain name innovative.local
ip name-server 192.168.10.2
ip name-server 203.12.160.35
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-K9 sn FGL183224BR
!
!
object-group network 587_dst_net
 any
!
object-group network 587_src_net
 any
!
object-group service 587_svc
 tcp source eq 587 eq 587
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network aa_dst_net
 host 192.168.10.2
!
object-group network aa_src_net
 any
!
object-group service aa_svc
 ip
!
object-group network apple_dst_net
 any
!
object-group network apple_src_net
 any
!
object-group service apple_svc
 ip
!
object-group network business_dst_net
 any
!
object-group network business_src_net
 any
!
object-group service business_svc
 ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
 192.168.10.0 255.255.255.0
!
object-group network lync_dst_net
 any
!
object-group network lync_src_net
 any
!
object-group service lync_svc
 ip
!
object-group network mail_dst_net
 any
!
object-group network mail_src_net
 any
!
object-group service mail_svc
 ip
!
object-group network network_dst_net
 any
!
object-group network network_src_net
 any
!
object-group service network_svc
 ip
!
object-group network others_dst_net
 any
!
object-group network others_src_net
 any
!
object-group service others_svc
 ip
!
object-group network vpn_remote_subnets
 any
!
object-group network web_dst_net
 any
!
object-group network web_src_net
 any
!
object-group service web_svc
 ip
!
username xxxxx privilege 15 secret 5 xxxxx
!
!
!
!
!
controller VDSL 0
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any lync_app
 match protocol ms-lync
 match protocol ms-lync-audio
 match protocol ms-lync-video
class-map type inspect match-any others_app
 match protocol https
 match protocol imap
 match protocol dns
 match protocol icmp
 match protocol secure-imap
 match protocol submission
 match protocol snmp
 match protocol snmptrap
 match protocol smtp
 match protocol outlook-web-service
 match protocol exchange
 match protocol ntp
 match protocol time
class-map type inspect match-any mail_app
 match protocol smtp
 match protocol imap
 match protocol secure-imap
 match protocol pop3
 match protocol secure-pop3
 match protocol submission
class-map type inspect match-any business_app
 match protocol activesync
 match protocol ms-office-365
 match protocol ms-office-web-apps
 match protocol share-point
class-map type inspect match-all 587
class-map type inspect match-any aa_app
 match protocol http
 match protocol https
class-map type inspect match-any network_app
 match protocol dns
 match protocol icmp
 match protocol ntp
 match protocol snmp
 match protocol time
class-map type inspect match-any web_app
 match protocol http
 match protocol https
class-map type inspect match-any apple_app
 match protocol facetime
class-map type inspect match-all aa
  description Anywhere Access
 match access-group name aa_acl
 match class-map aa_app
class-map type inspect match-all business
 match access-group name business_acl
 match class-map business_app
class-map type inspect match-all mail
 match access-group name mail_acl
 match class-map mail_app
class-map type inspect match-all others
 match access-group name others_acl
 match class-map others_app
class-map type inspect match-all lync
 match access-group name lync_acl
 match class-map lync_app
class-map type inspect match-all apple
 match access-group name apple_acl
 match class-map apple_app
class-map type inspect match-all web
 match access-group name web_acl
 match class-map web_app
class-map type inspect match-all network
 match access-group name network_acl
 match class-map network_app
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect 587
  inspect
 class type inspect network
  inspect
 class type inspect web
  inspect
 class type inspect mail
  inspect
 class type inspect business
  inspect
 class type inspect lync
  inspect
 class type inspect apple
  inspect
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect
 class class-default
  drop log
policy-map type inspect WAN-LAN-POLICY
 class type inspect aa
  inspect
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
 service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 switchport access vlan 3
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description Work-LAN
 ip address 192.168.10.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 ip tcp adjust-mss 1452
 load-interval 30
!
interface Vlan2
 description PrimaryWANDesc_
 ip address dhcp
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan3
 description Guest-LAN
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description PrimaryWANDesc__Vlan2
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap password 0 151481inn
 ppp pap sent-username xxxxx password 0 xxxxx
 ppp ipcp dns request
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.10.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.10.2 80 interface Dialer1 80
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended aa_acl
 permit object-group aa_svc object-group aa_src_net object-group aa_dst_net
ip access-list extended apple_acl
 permit object-group apple_svc object-group apple_src_net object-group apple_dst_net
ip access-list extended business_acl
 permit object-group business_svc object-group business_src_net object-group business_dst_net
ip access-list extended lync_acl
 permit object-group lync_svc object-group lync_src_net object-group lync_dst_net
ip access-list extended mail_acl
 permit object-group mail_svc object-group mail_src_net object-group mail_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
 deny   ip any any
ip access-list extended network_acl
 permit object-group network_svc object-group network_src_net object-group network_dst_net
ip access-list extended others_acl
 permit object-group others_svc object-group others_src_net object-group others_dst_net
ip access-list extended web_acl
 permit object-group web_svc object-group web_src_net object-group web_dst_net
!
dialer-list 1 protocol ip permit
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you
want to use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
 
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
 
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login authentication local_access
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_access
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

UC540 system with 8.6.2 Software Pack
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Cisco Employee

Hi Jeremy,

I believe your object-group smtps_svc is wrong. Currently, it reads:

object-group service smtps_svc
 tcp source eq 587 eq 587

However, this forces it to check the source port and expect it to be 587. Clearly, this cannot be the case for TCP clients of the SMTPS service; only servers reside at port 587. It should be instead:

object-group service smtps_svc
 tcp eq 587

I am not sure if this is the CCP way of creating the configuration - I suppose it is. I have to say that the way the configuration is structured is an exercise in complicating the obvious. The ACL that would describe the SMTPS traffic could have been a single-line issue. Here, it refers to three separate object-groups that themselves are just one-entry long, not even to mention the repetitive object-groups of different names that are equivalent as they contain a single descriptor: "any". I am not sure this helps things.

Best regards,
Peter

View solution in original post

5 REPLIES 5
Highlighted
Hall of Fame Cisco Employee

Jeremy,

Reading configs created by CCP is a punishment in itself... :)

If I could make sense out of your configuration properly, your LAN-to-WAN-bound traffic is inspected by the LAN-WAN-POLICY policy-map. This policy-map refers to a class-map called 587 which, however, is empty and contains no specification on how to recognize the traffic for the port 587. That is most probably why this traffic is not properly recognized.

I suggest the most simple approach that works, and that is creating an ACL that identifies all traffic going to a destination TCP port 587, and referring to that ACL in the class-map, so:

ip access-list extended SMTPS
 permit tcp any any eq 587
!
class-map type inspect 587
 match access-group name SMTPS

Try entering these commands in your CLI in the configure terminal mode. Hopefully, this will do the trick if everything else works for you.

Best regards,
Peter

 

Highlighted

hi peter, thanks for your help...

I have just tidied up the configuration as I noticed a few other anomalies due to the GUI leaving some things behind that should have bee deleted.

this is my new config...please check it and let me know its correct still.

I still cannot get port 587 open to send emails from certain software (Server 2012 R2 Essentials Dashboard in this instance)

 

Building configuration...

Current configuration : 12371 bytes
!
! Last configuration change at 07:58:39 GMT Tue Jun 23 2015 by jaykay
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT 10 0
!
crypto pki trustpoint TP-self-signed-49562814
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-49562814
 revocation-check none
 rsakeypair TP-self-signed-49562814
!
!
crypto pki certificate chain TP-self-signed-49562814
 certificate self-signed 01
  30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34393536 32383134 301E170D 31353036 31323132 34353536
  5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
  2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D343935 36323831
  3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81009B80
  06D0CFAC 68A64095 51342877 EBA2041C BC634BD7 3E754101 C292C97D 3C3F76C1
  9F8ED2E4 73478F16 3DA835DA 51929229 33209159 D84096A7 A5A9E97F BDE21454
  D44241C3 F7DE621E EC00F4DB 79C4FBA1 C5E67EE4 09BFCCBD C3151EBA 455838A1
  F9CD51B5 74ED9066 5FD4BB5D 5B6FA0A0 F6636F19 3C71623E BBDE43C3 9F9B0203
  010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
  18301680 14D97F11 952F031B 283CC2DF 7DEEECA5 B899BFFF 92301D06 03551D0E
  04160414 D97F1195 2F031B28 3CC2DF7D EEECA5B8 99BFFF92 300D0609 2A864886
  F70D0101 05050003 81810088 9F7AF9C4 4EE2BA1A AA5DC07B 2C630ADE C9246E68
  B3C12A40 DF06E433 5B415763 29A836A1 4412F76F 97EDD219 BC88C524 74E4243D
  7E4A7A5F F0C53BCD 9A234516 9597548E 462FB01D E4DD8480 3D049B86 D65CEA36
  065C8C4D 8FA9B35B D8F2F03C 3CEA5645 77C1D637 A1C738D4 C70931DB FA173D60
  FA3FCB7D 765F41D2 9767C7
   quit
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.10.0 192.168.10.20
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool ccp-pool
 import all
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.168.10.2 203.12.160.35 203.12.160.36
!
ip dhcp pool guest-pool
 import all
 network 10.0.0.0 255.255.255.0
 dns-server 203.12.160.35 203.12.160.36
 default-router 10.0.0.1
!
!
!
ip domain name innovative.local
ip name-server 192.168.10.2
ip name-server 203.12.160.35
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-K9 sn FGL183224BR
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network aa_dst_net
 host 192.168.10.2
!
object-group network aa_src_net
 any
!
object-group service aa_svc
 ip
!
object-group network apple_dst_net
 any
!
object-group network apple_src_net
 any
!
object-group service apple_svc
 ip
!
object-group network business_dst_net
 any
!
object-group network business_src_net
 any
!
object-group service business_svc
 ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
 192.168.10.0 255.255.255.0
!
object-group network lync_dst_net
 any
!
object-group network lync_src_net
 any
!
object-group service lync_svc
 ip
!
object-group network mail_dst_net
 any
!
object-group network mail_src_net
 any
!
object-group service mail_svc
 ip
!
object-group network network_dst_net
 any
!
object-group network network_src_net
 any
!
object-group service network_svc
 ip
!
object-group network smtps_dst_net
 any
!
object-group network smtps_src_net
 any
!
object-group service smtps_svc
 tcp source eq 587 eq 587
!
object-group network vpn_remote_subnets
 any
!
object-group network web_dst_net
 any
!
object-group network web_src_net
 any
!
object-group service web_svc
 ip
!
username xxxxx privilege 15 secret 5 xxxxx
!
!
!
!
!
controller VDSL 0
no cdp run
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any lync_app
 match protocol ms-lync
 match protocol ms-lync-audio
 match protocol ms-lync-video
class-map type inspect match-any mail_app
 match protocol smtp
 match protocol imap
 match protocol secure-imap
 match protocol pop3
 match protocol secure-pop3
 match protocol submission
class-map type inspect match-any business_app
 match protocol activesync
 match protocol ms-office-365
 match protocol ms-office-web-apps
 match protocol share-point
class-map type inspect match-any aa_app
 match protocol http
 match protocol https
class-map type inspect match-any network_app
 match protocol dns
 match protocol icmp
 match protocol ntp
 match protocol snmp
 match protocol time
class-map type inspect match-any web_app
 match protocol http
 match protocol https
class-map type inspect match-any apple_app
 match protocol facetime
class-map type inspect match-all smtps
 match access-group name smtps_acl
class-map type inspect match-all aa
  description Anywhere Access
 match access-group name aa_acl
 match class-map aa_app
class-map type inspect match-all business
 match access-group name business_acl
 match class-map business_app
class-map type inspect match-all mail
 match access-group name mail_acl
 match class-map mail_app
class-map type inspect match-all lync
 match access-group name lync_acl
 match class-map lync_app
class-map type inspect match-all apple
 match access-group name apple_acl
 match class-map apple_app
class-map type inspect match-all web
 match access-group name web_acl
 match class-map web_app
class-map type inspect match-all network
 match access-group name network_acl
 match class-map network_app
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect smtps
  inspect
 class type inspect network
  inspect
 class type inspect web
  inspect
 class type inspect mail
  inspect
 class type inspect business
  inspect
 class type inspect lync
  inspect
 class type inspect apple
  inspect
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect
 class class-default
  drop log
policy-map type inspect WAN-LAN-POLICY
 class type inspect aa
  inspect
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
 service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 switchport access vlan 3
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description Work-LAN
 ip address 192.168.10.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 ip tcp adjust-mss 1452
 load-interval 30
!
interface Vlan2
 description PrimaryWANDesc_
 ip address dhcp
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan3
 description Guest-LAN
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description PrimaryWANDesc__Vlan2
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap password 0 151481inn
 ppp pap sent-username xxxxx password 0 xxxxx
 ppp ipcp dns request
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static tcp 192.168.10.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.10.2 80 interface Dialer1 80
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended aa_acl
 permit object-group aa_svc object-group aa_src_net object-group aa_dst_net
ip access-list extended apple_acl
 permit object-group apple_svc object-group apple_src_net object-group apple_dst_net
ip access-list extended business_acl
 permit object-group business_svc object-group business_src_net object-group business_dst_net
ip access-list extended lync_acl
 permit object-group lync_svc object-group lync_src_net object-group lync_dst_net
ip access-list extended mail_acl
 permit object-group mail_svc object-group mail_src_net object-group mail_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
 deny   ip any any
ip access-list extended network_acl
 permit object-group network_svc object-group network_src_net object-group network_dst_net
ip access-list extended smtps_acl
 permit object-group smtps_svc object-group smtps_src_net object-group smtps_dst_net
ip access-list extended web_acl
 permit object-group web_svc object-group web_src_net object-group web_dst_net
!
dialer-list 1 protocol ip permit
!
snmp-server community tpgframe RO 55
snmp-server enable traps tty
access-list 55 permit 203.12.160.5
access-list 55 permit 172.29.0.3
access-list 55 permit 172.29.0.4
access-list 55 permit 172.29.0.10
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you
want to use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
 
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
 
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login authentication local_access
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_access
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

UC540 system with 8.6.2 Software Pack
Highlighted
Hall of Fame Cisco Employee

Hi Jeremy,

I believe your object-group smtps_svc is wrong. Currently, it reads:

object-group service smtps_svc
 tcp source eq 587 eq 587

However, this forces it to check the source port and expect it to be 587. Clearly, this cannot be the case for TCP clients of the SMTPS service; only servers reside at port 587. It should be instead:

object-group service smtps_svc
 tcp eq 587

I am not sure if this is the CCP way of creating the configuration - I suppose it is. I have to say that the way the configuration is structured is an exercise in complicating the obvious. The ACL that would describe the SMTPS traffic could have been a single-line issue. Here, it refers to three separate object-groups that themselves are just one-entry long, not even to mention the repetitive object-groups of different names that are equivalent as they contain a single descriptor: "any". I am not sure this helps things.

Best regards,
Peter

View solution in original post

Highlighted

thankyou so much!

this has worked...

ok so tell me this...

the firewall applications 'submission' is meant to be for Secure SMTP. Why would this have not worked in my configuration?

I shouldn't have even needed the entry for SMTPS...correct?

UC540 system with 8.6.2 Software Pack
Highlighted
Hall of Fame Cisco Employee

Hi Jeremy,

I am glad this worked.

the firewall applications 'submission' is meant to be for Secure SMTP. Why would this have not worked in my configuration?

I honestly do not know. Many of these protocols recognized by the IOS engine are hardcoded into IOS and may have their limitations. For some other protocols, additional protocol definition files need to be installed into the router's IOS (so-called PDLM files).

I shouldn't have even needed the entry for SMTPS...correct?

If the match protocol submission worked as expected we would truly not need the entry for SMTPS. Nonetheless, there is no need to get exceedingly worried about this - specifying the protocol by ports is more efficient than letting the router ponder over its type using some complex internal classification machine.

Best regards,
Peter