1. Home
  2. Cisco Systems
  3. Cisco Pop3 email access

Cisco Pop3 email access

Hi,

we have a Windows Server for SBS 2003 and a cisco 837 router with the following config:

Current configuration : 5433 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname FNN1610037615 ! boot-start-marker boot-end-marker ! memory-size iomem 5 logging buffered 51200 warnings ! username victor privilege 15 password 7 104D1F012816155F5E036F username surespek privilege 15 password 7 02301475531C5A26 aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route no ip gratuitous-arps ! ! ! ! ip domain name surespek.net.au ip name-server 139.130.4.4 ip inspect name CBAC ftp ip inspect name CBAC http ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC smtp ip inspect name CBAC fragment maximum 256 timeout 1 ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group VPNusers key 21sure05spek04 dns 192.168.1.5 domain surespek.net.au pool VPNPool ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 description LAN ip address 192.168.1.3 255.255.255.0 ip nat inside ip inspect CBAC in ip virtual-reassembly hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode itu-dmt pvc 1/34 ubr 384 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description Internet Network ip address negotiated ip access-group ACL-Outside in ip nat outside ip virtual-reassembly encapsulation ppp no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname 01610037615C@wAMNET ppp chap password 7 000A455F3752282E15 crypto map clientmap ! ip local pool VPNPool 10.10.10.10 10.10.10.20 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! no ip http server no ip http secure-server ! ip nat inside source route-map nonat interface Dialer1 overload ip nat inside source static tcp 192.168.1.230 25 203.153.229.11 25 extendable ip nat inside source static tcp 192.168.1.5 80 203.153.229.11 80 extendable ip nat inside source static tcp 192.168.1.5 110 203.153.229.11 110 extendable ip nat inside source static tcp 192.168.1.5 443 203.153.229.11 443 extendable ip nat inside source static tcp 192.168.1.5 3389 203.153.229.11 3389 extendable ! ! ip access-list extended ACL-Outside remark remark *** ACL Restricts incoming traffic from external networks remark remark *** Original ACL by : Adam Hinett ComputerCorp remark *** on 21/05/04 remark remark *** VPN Exclusions remark permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 remark remark *** Deny Private Address Ranges remark deny ip 10.0.0.0 0.255.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input remark remark *** Deny Invalid and Multicast Ranges remark deny ip 0.0.0.0 0.255.255.255 any log-input deny ip 224.0.0.0 0.255.255.255 any log-input deny ip 255.0.0.0 0.255.255.255 any log-input remark remark *** Permit limited ICMP remark permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any traceroute permit icmp any any unreachable remark remark *** Permits Mail *** remark permit tcp any host 203.153.229.11 eq smtp permit tcp any host 203.153.229.11 eq www permit tcp any host 203.153.229.11 eq 443 remark remark *** Permits DNS *** remark permit udp any any eq domain permit tcp any any eq domain remark remark *** Permit - VPN remark permit esp any host 203.153.229.11 permit ahp any host 203.153.229.11 permit udp any host 203.153.229.11 eq isakmp permit udp any host 203.153.229.11 eq non500-isakmp remark remark *** Permit ComputerCORP Remote Administration remark permit tcp 210.10.117.124 0.0.0.1 any eq telnet permit tcp 210.10.117.124 0.0.0.1 host 203.153.229.11 eq 3389 remark remark *** Deny the Rest remark deny ip any any log-input remark access-list 10 permit 210.10.117.125 log access-list 10 permit 210.10.117.124 log access-list 10 permit 192.168.1.0 0.0.0.255 log access-list 10 deny any log access-list 23 permit 10.10.10.0 0.0.0.255 access-list 130 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 130 permit ip 192.168.1.0 0.0.0.255 any dialer-list 1 protocol ip permit ! route-map nonat permit 10 match ip address 130 ! ! control-plane ! ! line con 0 exec-timeout 2 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 10 in exec-timeout 2 0 privilege level 15 password 7 095E5B1C09571E061819162F38342D38 length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end

For some reason we cannot access our POP3 email server, and from reading the cisco config, i would think we need to add the permit statement:

permit tcp any host 203.153.229.11 eq pop3

Could someone inform me if this will solve our problem? If this is all that is required, i have been having trouble trying to add that particular statement. i first enter enable then config t and then try to enter the permit statement but it give me an error.

Im relatively new to cisco stuff, so please any issues/help is appreciated.

Thanks Simon

Reply to
siik
Loading thread data ...

You are only allotting 5% of you memory for I/O. You might want to use "show memory summary", and verify that you have adequate "free" I/O memory. This might bite you some day.

You need to change these passwords. They should not have been included in your post. Type 7 passwords are easily decrypted with readily available tools and takes less than 1 sec. You may even want to change the usernames, and not include them in future posts.

You should not have included this password in your post. You need to change it now!

You should consider an ACL on the inside interface to implement a reasonable security policy. If you do, then use inspection on the outside interface to provision the return path.

You need to change these passwords. They should not have been included in your post. Type 7 passwords are easily decrypted with readily available tools and takes less than 1 sec.

You might want to place icmp permit ACEs after the permit ACEs for your servers. Presumably there is more traffic to the servers (www, smtp, etc.) than icmp traffic. The sooner you match a given packet in an ACL, the sooner you stop processing the ACL, and forward the packet.

permit tcp any host 203.153.229.11 eq pop3

Remote administration should not be done with Telnet (clear text). They should be using SSH (encrypted).

You need to change this password. It should not have been included in your post. Type 7 passwords are easily decrypted with readily available tools and takes less than 1 sec.

The Access Control Entry (ACE), is part of the access-list. When you enter configuration mode (config t), you then need to enter the specific ACL configuration mode to add an ACE to the ACL:

Do a "show ip access-list ACL-Outside"

Note the sequence numbers beside the ACEs (they probably start at 10, and increment by 10's).

Lets assume you saw this:

110 permit icmp any any unreachable 120 permit tcp any host 203.153.229.11 eq smtp

You might decide that you wanted to place your ACE between these two ACEs. You would specify a sequence number between 110 and 120.

e.g.: devicename(config) # ip access-list extended ACL-Outside devicename(config-ext-nacl) # 115 permit tcp any host 203.153.229.11 eq pop3 devicename(config-ext-nacl) # ex devicename(config) # ip access-list resequence ACL-Outside 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Outside", and verify the result:

e.g.:

110 permit icmp any any unreachable 120 permit tcp any host 203.153.229.11 eq pop3 130 permit tcp any host 203.153.229.11 eq smtp

Best Regards, News Reader

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.