Permit SMTP on Cisco SDM 1

[JRosario78]

Hi All,

I configured a 2600XM as a firewall router using the SDM GUI. I would like to know how can I permit our new email server to send and receive emails, by allowing SMTP traffic using the SDM GUI tool.

Thanks in advance!

 

[Minue]

Hello
If I remember correctly it should be under the NAT tab.
Regards

 

[JRosario78]

Minue,

Thanks for your reply. Below is the current running config of te router. If what I'm looking to do can be done via the CLI, please help me with the command(s) that should be added.

FWRTR#sh run
Building configuration...

Current configuration : 9502 bytes
!
! Last configuration change at 13:41:47 NewYork Thu Mar 12 2009 by jrosario
! NVRAM config last updated at 10:07:50 NewYork Thu Feb 26 2009 by jrosario
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FWRTR
!
boot-start-marker
boot-end-marker
!
logging buffered 64000 debugging
no logging console
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name ccnp.com
ip name-server A.B.C.D
ip name-server A.B.C.D
!
!
!
crypto pki trustpoint TP-self-signed-3044777103
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3044777103
revocation-check none
rsakeypair TP-self-signed-3044777103
!
!
crypto pki certificate chain TP-self-signed-3044777103
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303434 37373731 3033301E 170D3039 30313239 30343333
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30343437
37373130 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC41 9ACA2004 9077617E 7CED165D 6B3543E2 DEA0BA9A CAA37DF7 5883F849
527167E9 DD2572D6 4FF43388 6DE954A2 9F6C7B4E 26CB158E 04583916 CBF99B2B
D38B4144 42CE6D1A 7418FA44 F8A7CDBE 66602502 A9DDF874 D50986AB 2C282350
3B5F0D16 6CB12D44 1D45A678 B258F021 E3750892 53CA900F 49D4B081 8AF19621
C54B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15484142 432D4657 5254522E 68616263 6E6A2E63 6F6D301F
0603551D 23041830 168014E2 F16D473E E7414D17 10A0608A 49076996 66AA8730
1D060355 1D0E0416 0414E2F1 6D473EE7 414D1710 A0608A49 07699666 AA87300D
06092A86 4886F70D 01010405 00038181 0042F79A 5EF8D3DC ACAC365F C4E95947
D4DB12A4 6F819602 DBB14097 AAABE905 6BBF056B 125BF7E3 CA8EEE60 3FEAFC7C
DEE41E27 FB013360 B6D599FB 95444274 2418A4FF 7F2B5508 E9105E2F 092DB7B8
BD7CCB59 BDE3FF52 9017F433 14A95173 16AD85A6 931EC9B0 B083C2BF 1511AB87
3D24209B 0478EDFD 9C104620 4A35C30D 7D
quit
username netadmin password 7
username jrosario privilege 15 password 7

!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group CCNP-VPN
key !C54B0203!
dns 10.5.1.101 A.B.C.D
domain ccnp.com
pool SDM_POOL_1
netmask 255.255.255.224
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 2700
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address A.B.C.D 255.255.255.224
ip access-group 101 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
keepalive 7
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1/0
description $ETH-LAN$$FW_INSIDE$
ip address 172.23.1.1 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
keepalive 3
!
ip local pool SDM_POOL_1 172.23.1.10 172.23.1.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 A.B.C.D
ip route 10.5.1.0 255.255.255.0 172.23.1.2
ip route 192.168.10.0 255.255.255.224 172.23.1.2
ip route 192.168.20.0 255.255.255.224 172.23.1.2
ip route 192.168.30.0 255.255.255.224 172.23.1.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.23.1.0 0.0.0.31
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.31
access-list 1 permit 192.168.20.0 0.0.0.31
access-list 1 permit 192.168.30.0 0.0.0.31
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip A.B.C.D 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 172.23.1.10 any
access-list 101 permit ip host 172.23.1.11 any
access-list 101 permit ip host 172.23.1.12 any
access-list 101 permit ip host 172.23.1.13 any
access-list 101 permit ip host 172.23.1.14 any
access-list 101 permit ip host 172.23.1.15 any
access-list 101 permit ip host 172.23.1.16 any
access-list 101 permit ip host 172.23.1.17 any
access-list 101 permit ip host 172.23.1.18 any
access-list 101 permit ip host 172.23.1.19 any
access-list 101 permit ip host 172.23.1.20 any
access-list 101 permit udp any host A.B.C.D eq non500-isakmp
access-list 101 permit udp any host A.B.C.D eq isakmp
access-list 101 permit esp any host A.B.C.D
access-list 101 permit ahp any host A.B.C.D
access-list 101 permit udp host A.B.C.D eq domain host A.B.C.D
access-list 101 permit udp host A.B.C.D eq domain host A.B.C.D
access-list 101 deny ip 172.23.1.0 0.0.0.31 any
access-list 101 permit icmp any host A.B.C.D echo-reply
access-list 101 permit icmp any host A.B.C.D time-exceeded
access-list 101 permit icmp any host A.B.C.D unreachable
access-list 101 permit tcp any host A.B.C.D eq 443
access-list 101 permit tcp any host A.B.C.D eq 22
access-list 101 permit tcp any host A.B.C.D eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 172.23.1.10
access-list 102 deny ip any host 172.23.1.11
access-list 102 deny ip any host 172.23.1.12
access-list 102 deny ip any host 172.23.1.13
access-list 102 deny ip any host 172.23.1.14
access-list 102 deny ip any host 172.23.1.15
access-list 102 deny ip any host 172.23.1.16
access-list 102 deny ip any host 172.23.1.17
access-list 102 deny ip any host 172.23.1.18
access-list 102 deny ip any host 172.23.1.19
access-list 102 deny ip any host 172.23.1.20
access-list 102 permit ip 192.168.30.0 0.0.0.31 any
access-list 102 permit ip 192.168.20.0 0.0.0.31 any
access-list 102 permit ip 192.168.10.0 0.0.0.31 any
access-list 102 permit ip 10.5.1.0 0.0.0.255 any
access-list 102 permit ip 172.23.1.0 0.0.0.31 any
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
control-plane
!
!
!
banner login ^C
**************************** WARNING ********************************

Access to this device is restricted to authorized persons only!
Un-authorized access is prohibited. Violators will be prosecuted.

You have accessed a system managed by Some Business Networking Pros., LLC.
You are required to have authorization from Some Business Networking Pros., LLC
before you proceed and you are strictly limited to the use set out within that
authorization. Unauthorized access to or misuse of this system or the data
contained on this system is strictly prohibited and may constitute an offence
under the relevant legislation.

If you disclose any information obtained through this system without authority,
Some Business Networking Pros., LLC will take appropriate action against you.
This may include legal proceedings, prosecution and disciplinary action up to
and including dismissal.

*********************************************************************^C
!
line con 0
exec-timeout 60 0
logging synchronous
history size 100
line aux 0
line vty 0 4
exec-timeout 60 0
logging synchronous
history size 100
transport input telnet ssh
!
!
end

Thanks!

 

[Minue]

Hello
At this point in your conf with the IOS firewall enable.It would be better to do it with the SDM, because you will have to open holes in the access-list to let the SMTP traffic in.And SDM will provision this for you automatically.
Regards

 

[JRosario78]

Ok, Understood. So I should do this under the NAT section not the Firewall and ACL section? The direction should be from outside to insde, correct?

Thanks!

 

[Minue]

That's correct!

 

[JRosario78]

Minue,

I was playing around over the weekend trying to get this to work and had no luck. Should I just add the below via the CLI?

SMTP:
ip nat inside source static tcp 10.5.1.25 25 A.B.C.D 25 extendable

Outlook Web Access:
ip nat inside source static tcp 10.5.1.25 80 A.B.C.D 80 extendable

Do I need an ACL to allow this traffic to flow in an out?

Thanks for help!!

 

[JRosario78]

Someone please help me as I need to get this up and running successfully by the end of the week. The sooner the better.

Thanks in advance!!

 

[Minue]

Hello
That line should plus the below should get things running.
access-list 101 permit tcp any host A.B.C.D eq 25

Regards

 

[JRosario78]

Minue,

I was able to get it to work!! Thank you very much for your help!!

 

[Minue]

Your'e most welcome!!!