help on the Cisco 2611 router and the IOS Firewall setup

Discussion in 'Cisco' started by Michael Huffaker, Apr 11, 2004.

  1. I have a Cisco 2611 installed with the Firewall feature set and I have
    initially configured it for NAT access with none of the Firewall
    features enabled and it has worked fine. I used the Cisco Configmaker
    software (yes, it sucks and I am a wimp) to set up a DMZ with a Web
    server and eventually an exchange server.
    The goals:
    * Office LAN able to access everything on the internet and on the
    System on the DMZ (207.XXX.XXX.250/29) to be part of the domain where
    the domain controllers ( and sit on the
    Office LAN, this requires two way communications.
    * Able to telnet into the router from the internet in additon to
    console and local.
    * VPN passthrough to a Microsoft VPN server on the Office LAN
    ( Config maker does not deal with this so I added the
    GRE and port 1723 statement in the configuration in Access list 100.


    1. Cannot telnet in via the internet but can telnet via console and
    from within the Office LAN
    2. POP3 mail comes in fine but outgoing mail is blocked and the mail
    client (outlook express) shows the following error message - "554
    relay access denied"

    Any help on either or both issues would be great, thanks

    The running configuration (sanitized) is below

    2611#sh run
    Building configuration...
    Current configuration : 3104 bytes
    version 12.3
    service config
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname 2611
    enable secret 5 $1$YDAt$LNSUk85gUmICy4UEJD.xu0
    no aaa new-model
    ip subnet-zero
    ip name-server
    ip inspect max-incomplete high 1100
    ip inspect one-minute high 1100
    ip inspect name Ethernet_0_1 tcp
    ip inspect name Ethernet_0_1 udp
    ip inspect name Ethernet_0_1 cuseeme
    ip inspect name Ethernet_0_1 ftp
    ip inspect name Ethernet_0_1 h323
    ip inspect name Ethernet_0_1 rcmd
    ip inspect name Ethernet_0_1 realaudio
    ip inspect name Ethernet_0_1 smtp
    ip inspect name Ethernet_0_1 streamworks
    ip inspect name Ethernet_0_1 vdolive
    ip inspect name Ethernet_0_1 sqlnet
    ip inspect name Ethernet_0_1 tftp
    ip inspect name Serial_0_0 tcp
    ip inspect name Serial_0_0 ftp
    ip inspect name Serial_0_0 udp
    ip inspect name Serial_0_0 smtp
    ip audit notify log
    ip audit po max-events 100
    interface Ethernet0/0
    description connected to DMZ LAN
    ip address 207.XXX.XXX.249
    ip access-group 101 in
    interface Serial0/0
    description connected to Internet
    ip address 20.XXX.XXX.158
    ip access-group 102 in
    ip nat outside
    ip inspect Serial_0_0 in
    interface Ethernet0/1
    description connected to Office LAN
    ip address
    ip access-group 100 in
    ip nat inside
    ip inspect Ethernet_0_1 in
    router rip
    version 2
    passive-interface Serial0/0
    network 207.XXX.XXX.0
    no auto-summary
    ip nat inside source list 1 interface Serial0/0 overload
    ip http server
    no ip http secure-server
    ip classless
    ip route Serial0/0
    access-list 1 permit
    access-list 100 deny ip 207.XXX.XXX.248 any
    access-list 100 permit ip any any
    access-list 100 permit tcp any host eq 1723
    access-list 100 permit gre any host
    access-list 101 deny ip any
    access-list 101 permit udp any eq rip any eq rip
    access-list 102 deny ip 207.XXX.XXX.248 any
    access-list 102 permit tcp any host 207.XXX.XXX.250 eq telnet
    access-list 102 permit tcp any host 207.XXX.XXX.250 range ftp-data ftp
    access-list 102 permit tcp any host 207.XXX.XXX.250 eq www
    access-list 102 permit udp any host 207.XXX.XXX.250 eq isakmp
    access-list 102 permit tcp any host 207.XXX.XXX.250 eq smtp
    access-list 102 deny ip any host 207.XXX.XXX.250
    access-list 102 permit tcp any 207.XXX.XXX.248 eq telnet
    access-list 102 permit icmp any 207.XXX.XXX.248
    access-list 102 permit tcp any 207.XXX.XXX.248 eq www
    access-list 102 permit tcp any 207.XXX.XXX.248 range ftp-data
    access-list 102 permit udp any 207.XXX.XXX.248 eq domain
    snmp-server community public RO
    snmp-server location Phoenix
    snmp-server enable traps tty
    line con 0
    exec-timeout 0 0
    password XXXXXXXX
    line aux 0
    line vty 0 4
    password XXXXXXXX
    Michael Huffaker, Apr 11, 2004
    1. Advertisements

  2. BTW, I am familiar with the idea that blocking telnet from the outside
    is a good security practice however due to logistical reasons we need
    outside telnet capability.
    Michael Huffaker, Apr 12, 2004
    1. Advertisements

  3. Michael Huffaker

    rowl Guest

    Must be an issue with "relay_* Features" in sendmail. Relaying is
    disabled by default in Sendmail 8.9 up I believe, as a spam control
    feature. So your senders username's domain component and smtp hosts
    domain component must match.
    ex: can use smtp.b.c but may not be able to send using
    smtp.b.c but only thru smtp.y.z

    Rahul Sawarkar
    rowl, Apr 12, 2004
  4. Michael Huffaker

    Rod Dorman Guest

    I'd strongly recommend a more secure access proceedure like using SSH.
    Rod Dorman, Apr 12, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.