Please Help......Cannot route SMTP to internal interface

Discussion in 'Cisco' started by mack, Sep 1, 2004.

  1. mack

    mack Guest

    I've been playing around with the configuration of our router after
    researching a lot of other posts on recommended acl configurations.
    I've finally been able to get it so most things are working.

    However....if I apply the "DIALER_OUT" ACL to the internal interface
    of "fastEthernet0" I cannot receive any external emails to our
    exchange server. We're able to send externally though.

    This is the config I have, any help would be appreciated as I don't
    know where else to look now.

    Thanks.

    ------------
    version 12.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname PB_RTR1
    !
    logging queue-limit 100
    enable secret 5 <removed>
    enable password <removed>
    !
    username <removed> password <removed>
    ip subnet-zero
    !
    !
    ip name-server 192.168.3.10
    !
    ip audit notify log
    ip audit po max-events 100
    vpdn enable
    !
    vpdn-group pppoe
    request-dialin
    protocol pppoe
    !
    !
    !
    !
    !
    crypto isakmp policy 3
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group clients
    key <removed>
    dns 192.168.3.10
    domain <removed>
    pool clientpool
    !
    !
    crypto ipsec transform-set dessha esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set dessha
    reverse-route
    !
    !
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    bridge irb
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    bundle-enable
    dsl operating-mode itu-dmt
    !
    interface ATM0.1 point-to-point
    pvc 8/35
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet0
    ip address 192.168.3.1 255.255.255.0
    ip nat inside
    speed auto
    half-duplex
    !
    interface Dialer1
    ip address negotiated
    ip access-group DIALER_IN in
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ntp disable
    no cdp enable
    ppp chap hostname <removed>
    ppp chap password <removed>
    crypto map clientmap
    !
    ip local pool clientpool 192.168.5.1 192.168.5.254
    ip nat pool ovrld <removed> <removed> prefix-length 24
    ip nat inside source route-map nonat pool ovrld overload
    ip nat inside source static tcp 192.168.3.20 80 <removed> 80
    extendable
    ip nat inside source static tcp 192.168.3.20 25 <removed>72 25
    extendable
    ip nat inside source static tcp 192.168.3.20 110 <removed> 72 110
    extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    no ip http secure-server
    !
    !
    !
    ip access-list extended DIALER_IN
    permit tcp any host 192.168.3.20 eq smtp
    permit tcp any host 192.168.3.20 eq pop3
    permit ip <removed> 0.0.0.255 host <removed>
    permit ip host <removed> host <removed>
    permit ip any host <removed>
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit esp any any
    permit ahp any any
    permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
    permit icmp 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
    remark Standard WWW services
    permit tcp any any eq www
    permit tcp any any eq smtp
    permit tcp any any eq pop3
    permit tcp any any eq 22
    permit tcp any any eq ident
    remark Microsoft RDP
    permit tcp any any eq 3389
    remark Anti-spoofing
    deny ip host 0.0.0.0 any
    deny ip host 255.255.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    remark ICMP
    permit icmp any any echo-reply
    permit icmp any any time-exceeded
    permit icmp any any packet-too-big
    permit icmp any any traceroute
    permit icmp any any unreachable
    deny icmp any any
    deny tcp any range 0 65535 any range 0 65535
    deny udp any range 0 65535 any range 0 65535
    deny ip any any
    ip access-list extended DIALER_OUT
    permit tcp any host 192.168.3.20 eq smtp
    permit ip any host <removed>
    permit ip any host <removed>
    permit udp any any eq isakmp
    permit udp any any eq non500-isakmp
    permit esp any any
    permit ahp any any
    permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    permit ip any host 255.255.255.255
    permit icmp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    remark WWW Standard services
    permit tcp any any eq www
    permit udp any any eq domain
    permit tcp any any eq smtp
    permit tcp any any eq 443
    permit tcp any any eq ftp
    permit tcp any any eq ftp-data
    permit tcp any any eq pop3
    permit tcp any any eq nntp
    permit tcp any any eq 22
    permit tcp any any eq telnet
    remark Windows Media
    permit tcp any any eq 1755
    remark Microsoft RDP
    permit tcp any any eq 3389
    permit tcp any any eq 5631
    permit tcp any any eq 5632
    permit icmp any any
    deny tcp any range 0 65535 any range 0 65535
    deny udp any range 0 65535 any range 0 65535
    deny ip any any
    ip access-list extended addr-pool
    ip access-list extended ailer_in
    ip access-list extended default-domain
    ip access-list extended group-lock
    ip access-list extended idletime
    ip access-list extended inacl
    ip access-list extended key-exchange
    ip access-list extended protocol
    ip access-list extended service
    ip access-list extended tunnel-password
    !
    access-list 10 permit 192.168.3.0 0.0.0.255
    access-list 111 permit ip 192.168.3.0 0.0.0.255 any
    access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    !
    route-map nonat permit 10
    match ip address 111
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    line aux 0
    line vty 0 4
    password cisco
    login
    !
    end
    mack, Sep 1, 2004
    #1
    1. Advertising

  2. mack

    PES Guest

    "mack" <> wrote in message
    news:...
    > I've been playing around with the configuration of our router after
    > researching a lot of other posts on recommended acl configurations.
    > I've finally been able to get it so most things are working.
    >
    > However....if I apply the "DIALER_OUT" ACL to the internal interface
    > of "fastEthernet0" I cannot receive any external emails to our
    > exchange server. We're able to send externally though.
    >
    > This is the config I have, any help would be appreciated as I don't
    > know where else to look now.
    >
    > Thanks.
    >


    Mayge that the first line in DIALER_OUT is backwards. Assuming your mail
    server is 192.158.3.20 the line should be

    permit tcp host 192.168.3.20 eq smtp any

    Also, I recommend using the firewall feature set. Stateful filtering will
    make your life easier and your network more secure.
    > ------------
    > version 12.2
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > no service password-encryption
    > !
    > hostname PB_RTR1
    > !
    > logging queue-limit 100
    > enable secret 5 <removed>
    > enable password <removed>
    > !
    > username <removed> password <removed>
    > ip subnet-zero
    > !
    > !
    > ip name-server 192.168.3.10
    > !
    > ip audit notify log
    > ip audit po max-events 100
    > vpdn enable
    > !
    > vpdn-group pppoe
    > request-dialin
    > protocol pppoe
    > !
    > !
    > !
    > !
    > !
    > crypto isakmp policy 3
    > hash md5
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp client configuration group clients
    > key <removed>
    > dns 192.168.3.10
    > domain <removed>
    > pool clientpool
    > !
    > !
    > crypto ipsec transform-set dessha esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map dynmap 10
    > set transform-set dessha
    > reverse-route
    > !
    > !
    > crypto map clientmap client authentication list userauthen
    > crypto map clientmap isakmp authorization list groupauthor
    > crypto map clientmap client configuration address respond
    > crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    > !
    > !
    > bridge irb
    > !
    > !
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > bundle-enable
    > dsl operating-mode itu-dmt
    > !
    > interface ATM0.1 point-to-point
    > pvc 8/35
    > pppoe-client dial-pool-number 1
    > !
    > !
    > interface FastEthernet0
    > ip address 192.168.3.1 255.255.255.0
    > ip nat inside
    > speed auto
    > half-duplex
    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group DIALER_IN in
    > no ip unreachables
    > no ip proxy-arp
    > ip mtu 1492
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > ntp disable
    > no cdp enable
    > ppp chap hostname <removed>
    > ppp chap password <removed>
    > crypto map clientmap
    > !
    > ip local pool clientpool 192.168.5.1 192.168.5.254
    > ip nat pool ovrld <removed> <removed> prefix-length 24
    > ip nat inside source route-map nonat pool ovrld overload
    > ip nat inside source static tcp 192.168.3.20 80 <removed> 80
    > extendable
    > ip nat inside source static tcp 192.168.3.20 25 <removed>72 25
    > extendable
    > ip nat inside source static tcp 192.168.3.20 110 <removed> 72 110
    > extendable
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > no ip http server
    > no ip http secure-server
    > !
    > !
    > !
    > ip access-list extended DIALER_IN
    > permit tcp any host 192.168.3.20 eq smtp
    > permit tcp any host 192.168.3.20 eq pop3
    > permit ip <removed> 0.0.0.255 host <removed>
    > permit ip host <removed> host <removed>
    > permit ip any host <removed>
    > permit udp any any eq isakmp
    > permit udp any any eq non500-isakmp
    > permit esp any any
    > permit ahp any any
    > permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
    > permit icmp 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
    > remark Standard WWW services
    > permit tcp any any eq www
    > permit tcp any any eq smtp
    > permit tcp any any eq pop3
    > permit tcp any any eq 22
    > permit tcp any any eq ident
    > remark Microsoft RDP
    > permit tcp any any eq 3389
    > remark Anti-spoofing
    > deny ip host 0.0.0.0 any
    > deny ip host 255.255.255.255 any
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > deny ip 224.0.0.0 15.255.255.255 any
    > remark ICMP
    > permit icmp any any echo-reply
    > permit icmp any any time-exceeded
    > permit icmp any any packet-too-big
    > permit icmp any any traceroute
    > permit icmp any any unreachable
    > deny icmp any any
    > deny tcp any range 0 65535 any range 0 65535
    > deny udp any range 0 65535 any range 0 65535
    > deny ip any any
    > ip access-list extended DIALER_OUT
    > permit tcp any host 192.168.3.20 eq smtp
    > permit ip any host <removed>
    > permit ip any host <removed>
    > permit udp any any eq isakmp
    > permit udp any any eq non500-isakmp
    > permit esp any any
    > permit ahp any any
    > permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    > permit ip any host 255.255.255.255
    > permit icmp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    > remark WWW Standard services
    > permit tcp any any eq www
    > permit udp any any eq domain
    > permit tcp any any eq smtp
    > permit tcp any any eq 443
    > permit tcp any any eq ftp
    > permit tcp any any eq ftp-data
    > permit tcp any any eq pop3
    > permit tcp any any eq nntp
    > permit tcp any any eq 22
    > permit tcp any any eq telnet
    > remark Windows Media
    > permit tcp any any eq 1755
    > remark Microsoft RDP
    > permit tcp any any eq 3389
    > permit tcp any any eq 5631
    > permit tcp any any eq 5632
    > permit icmp any any
    > deny tcp any range 0 65535 any range 0 65535
    > deny udp any range 0 65535 any range 0 65535
    > deny ip any any
    > ip access-list extended addr-pool
    > ip access-list extended ailer_in
    > ip access-list extended default-domain
    > ip access-list extended group-lock
    > ip access-list extended idletime
    > ip access-list extended inacl
    > ip access-list extended key-exchange
    > ip access-list extended protocol
    > ip access-list extended service
    > ip access-list extended tunnel-password
    > !
    > access-list 10 permit 192.168.3.0 0.0.0.255
    > access-list 111 permit ip 192.168.3.0 0.0.0.255 any
    > access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    > access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
    > !
    > route-map nonat permit 10
    > match ip address 111
    > !
    > bridge 1 protocol ieee
    > bridge 1 route ip
    > !
    > line con 0
    > line aux 0
    > line vty 0 4
    > password cisco
    > login
    > !
    > end
    PES, Sep 1, 2004
    #2
    1. Advertising

  3. mack

    mack Guest

    Thank you. It worked and I had everything back up in no time.

    Do you have any samples of recommended setups for the feature set????
    This is my next task to tackle.

    Cheers
    mack, Sep 2, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. EG
    Replies:
    5
    Views:
    7,978
    Walter Roberson
    Dec 30, 2004
  2. StevenY
    Replies:
    1
    Views:
    882
    nirsh
    Jun 15, 2006
  3. perimere
    Replies:
    0
    Views:
    1,090
    perimere
    Mar 27, 2007
  4. Paul
    Replies:
    3
    Views:
    860
    Zakkas
    Mar 14, 2008
  5. Replies:
    9
    Views:
    4,913
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page