827H config. Need help.

Spiff59 · Jun 23, 2009

Hello all,
My first post, and (warning!) I am a newbie regarding IOS stuff. I have a Cisco 827H with 32M Ram and 8M of Flash. It's running IOS version c820-k9osy6-mz.123-15.bin.

The router is end-of-life, and without a contract I can't get support for it via my ISP. I managed to upgrade it a while back from a non-firewall version of 12.2(4) to the current 12.3(15) with firewall. I've enabled NAT, and also added a couple lines to allow Remote Desktop access to a couple ports. My problem is, if I enable the firewall, I get SMTP authentication errors in Outlook. Would someone be able to tell me what I need to add to get SMTP working through the router? I'm thinking turning on the firewall also inserted all those "myfw" entries? If anything else blatantly wrong with the config below jumps out at you, I'd be glad to hear that too! Any help is greatly appreciated.

Current configuration : 3515 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 <xxxxxxxxxxxxxxxx>
!
no aaa new-model
ip subnet-zero
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group pppoe
request-dialin
protocol pppoe
ip mtu adjust
!
!
username xxxxxxxx privilege 15 secret 5 <xxxxxxxxxxxxxxxx>
username CRWS_Srini privilege 15 password 7 <xxxxxxxxxxxxxxxx>
username CRWS_dheeraj privilege 15 password 7 <xxxxxxxxxxxxxxxx>
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.254 255.255.255.0
ip mtu 1492
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxx password 7 <xxxxxxxxxxxxxxxx>
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.40 3389 xxx.xxx.xxx.xxx 4040 extendable

ip nat inside source static tcp 192.168.0.50 3389 xxx.xxx.xxx.xxx 5050 extendable
ip nat inside source static udp 192.168.0.40 3389 xxx.xxx.xxx.xxx 4040 extendable

ip nat inside source static udp 192.168.0.50 3389 xxx.xxx.xxx.xxx 5050 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 60 permit 192.168.0.0 0.0.0.255
access-list 111 permit tcp any any eq 3389
access-list 111 permit udp any any eq 3389
access-list 111 permit tcp any any eq www
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
!
snmp-server community xxxxxxxx RO
snmp-server community xxxxxxxx RW 60
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
logging synchronous
login local
length 0
!
scheduler max-task-time 5000
end

unclerico · Jun 23, 2009

Code:

ip inspect name myfw smtp timeout 3600

This is your problem. Remove it and you should be good.

As for recommendations, IMHO, your ACL 111 is way too broad. Limit it to only the services/ports that you truly need open.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

burtsbees · Jun 23, 2009

I think he needs to only remove the timeout part---it still needs to be inspected---it's being allowed via the acl...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

827H config. Need help.

Spiff59

Programmer

unclerico

IS-IT--Management

burtsbees

Programmer

Similar threads

Part and Inventory Search

Sponsor