Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Cisco Pop3 email access

1 view
Skip to first unread message
Message has been deleted

News Reader

unread,
May 14, 2008, 12:01:47 PM5/14/08
to
siik wrote:
> Hi,
>
> we have a Windows Server for SBS 2003 and a cisco 837 router with the
> following config:
>
> Current configuration : 5433 bytes
> !
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname FNN1610037615
> !
> boot-start-marker
> boot-end-marker
> !
> memory-size iomem 5

You are only allotting 5% of you memory for I/O. You might want to use
"show memory summary", and verify that you have adequate "free" I/O
memory. This might bite you some day.

> logging buffered 51200 warnings
> !
> username victor privilege 15 password 7 104D1F012816155F5E036F
> username surespek privilege 15 password 7 02301475531C5A26

You need to change these passwords. They should not have been included
in your post. Type 7 passwords are easily decrypted with readily
available tools and takes less than 1 sec. You may even want to change
the usernames, and not include them in future posts.

> aaa new-model
> !
> !
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> no ip gratuitous-arps
> !
> !
> !
> !
> ip domain name surespek.net.au
> ip name-server 139.130.4.4
> ip inspect name CBAC ftp
> ip inspect name CBAC http
> ip inspect name CBAC tcp
> ip inspect name CBAC udp
> ip inspect name CBAC smtp
> ip inspect name CBAC fragment maximum 256 timeout 1
> ip ips po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> !
> crypto isakmp policy 3
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group VPNusers
> key 21sure05spek04

You should not have included this password in your post. You need to
change it now!

> dns 192.168.1.5
> domain surespek.net.au
> pool VPNPool
> !
> !
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> !
> crypto dynamic-map dynmap 10
> set transform-set myset
> !
> !
> crypto map clientmap client authentication list userauthen
> crypto map clientmap isakmp authorization list groupauthor
> crypto map clientmap client configuration address respond
> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
> !
> !
> !
> interface Ethernet0
> description LAN
> ip address 192.168.1.3 255.255.255.0
> ip nat inside
> ip inspect CBAC in
> ip virtual-reassembly
> hold-queue 100 out

You should consider an ACL on the inside interface to implement a
reasonable security policy. If you do, then use inspection on the
outside interface to provision the return path.

> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> dsl operating-mode itu-dmt
> pvc 1/34
> ubr 384
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> interface Dialer1
> description Internet Network
> ip address negotiated
> ip access-group ACL-Outside in
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> no ip mroute-cache
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication chap callin
> ppp chap hostname 01610037615C@wAMNET
> ppp chap password 7 000A455F3752282E15

You need to change these passwords. They should not have been included
in your post. Type 7 passwords are easily decrypted with readily
available tools and takes less than 1 sec.

> crypto map clientmap
> !
> ip local pool VPNPool 10.10.10.10 10.10.10.20
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> no ip http server
> no ip http secure-server
> !
> ip nat inside source route-map nonat interface Dialer1 overload
> ip nat inside source static tcp 192.168.1.230 25 203.153.229.11 25
> extendable
> ip nat inside source static tcp 192.168.1.5 80 203.153.229.11 80
> extendable
> ip nat inside source static tcp 192.168.1.5 110 203.153.229.11 110
> extendable
> ip nat inside source static tcp 192.168.1.5 443 203.153.229.11 443
> extendable
> ip nat inside source static tcp 192.168.1.5 3389 203.153.229.11 3389
> extendable
> !
> !
> ip access-list extended ACL-Outside
> remark
> remark *** ACL Restricts incoming traffic from external networks
> remark
> remark *** Original ACL by : Adam Hinett ComputerCorp
> remark *** on 21/05/04
> remark
> remark *** VPN Exclusions
> remark
> permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
> remark
> remark *** Deny Private Address Ranges
> remark
> deny ip 10.0.0.0 0.255.255.255 any log-input
> deny ip 172.16.0.0 0.15.255.255 any log-input
> deny ip 192.168.0.0 0.0.255.255 any log-input
> remark
> remark *** Deny Invalid and Multicast Ranges
> remark
> deny ip 0.0.0.0 0.255.255.255 any log-input
> deny ip 224.0.0.0 0.255.255.255 any log-input
> deny ip 255.0.0.0 0.255.255.255 any log-input
> remark
> remark *** Permit limited ICMP
> remark
> permit icmp any any echo-reply
> permit icmp any any time-exceeded
> permit icmp any any traceroute
> permit icmp any any unreachable

You might want to place icmp permit ACEs after the permit ACEs for your
servers. Presumably there is more traffic to the servers (www, smtp,
etc.) than icmp traffic. The sooner you match a given packet in an ACL,
the sooner you stop processing the ACL, and forward the packet.

> remark
> remark *** Permits Mail ***
> remark

permit tcp any host 203.153.229.11 eq pop3

> permit tcp any host 203.153.229.11 eq smtp
> permit tcp any host 203.153.229.11 eq www
> permit tcp any host 203.153.229.11 eq 443
> remark
> remark *** Permits DNS ***
> remark
> permit udp any any eq domain
> permit tcp any any eq domain
> remark
> remark *** Permit - VPN
> remark
> permit esp any host 203.153.229.11
> permit ahp any host 203.153.229.11
> permit udp any host 203.153.229.11 eq isakmp
> permit udp any host 203.153.229.11 eq non500-isakmp
> remark
> remark *** Permit ComputerCORP Remote Administration
> remark
> permit tcp 210.10.117.124 0.0.0.1 any eq telnet
> permit tcp 210.10.117.124 0.0.0.1 host 203.153.229.11 eq 3389

Remote administration should not be done with Telnet (clear text). They
should be using SSH (encrypted).

> remark
> remark *** Deny the Rest
> remark
> deny ip any any log-input
> remark
> access-list 10 permit 210.10.117.125 log
> access-list 10 permit 210.10.117.124 log
> access-list 10 permit 192.168.1.0 0.0.0.255 log
> access-list 10 deny any log
> access-list 23 permit 10.10.10.0 0.0.0.255
> access-list 130 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
> access-list 130 permit ip 192.168.1.0 0.0.0.255 any
> dialer-list 1 protocol ip permit
> !
> route-map nonat permit 10
> match ip address 130
> !
> !
> control-plane
> !
> !
> line con 0
> exec-timeout 2 0
> no modem enable
> transport preferred all
> transport output all
> stopbits 1
> line aux 0
> transport preferred all
> transport output all
> line vty 0 4
> access-class 10 in
> exec-timeout 2 0
> privilege level 15
> password 7 095E5B1C09571E061819162F38342D38

You need to change this password. It should not have been included in
your post. Type 7 passwords are easily decrypted with readily available
tools and takes less than 1 sec.

> length 0
> transport preferred all
> transport input all
> transport output all
> !
> scheduler max-task-time 5000
> end
>
>
> For some reason we cannot access our POP3 email server, and from
> reading the cisco config, i would think we need to add the permit
> statement:
>
> permit tcp any host 203.153.229.11 eq pop3
>
> Could someone inform me if this will solve our problem?
> If this is all that is required, i have been having trouble trying to
> add that particular statement.
> i first enter enable
> then config t
> and then try to enter the permit statement but it give me an error.
>

The Access Control Entry (ACE), is part of the access-list. When you
enter configuration mode (config t), you then need to enter the specific
ACL configuration mode to add an ACE to the ACL:

Do a "show ip access-list ACL-Outside"

Note the sequence numbers beside the ACEs (they probably start at 10,
and increment by 10's).

Lets assume you saw this:

110 permit icmp any any unreachable
120 permit tcp any host 203.153.229.11 eq smtp

You might decide that you wanted to place your ACE between these two
ACEs. You would specify a sequence number between 110 and 120.

e.g.:
devicename(config) # ip access-list extended ACL-Outside
devicename(config-ext-nacl) # 115 permit tcp any host 203.153.229.11 eq pop3
devicename(config-ext-nacl) # ex
devicename(config) # ip access-list resequence ACL-Outside 10 10

This would resequence the ACEs, starting at 10, and incrementing by 10.

Exit configuration mode, do a "show ip access-list ACL-Outside", and
verify the result:

e.g.:
110 permit icmp any any unreachable
120 permit tcp any host 203.153.229.11 eq pop3
130 permit tcp any host 203.153.229.11 eq smtp

> Im relatively new to cisco stuff, so please any issues/help is
> appreciated.
>
> Thanks
> Simon

Best Regards,
News Reader

0 new messages