firewall blocking users from connecting to email server from outside the network

Ok I need to pick some ppls brains. I set up a cisco 2811 to replace a netgear router at the office. With ccp I added a firewall on the router using the basic firewall wizard. Just about everything works internet, receiving and sending emails on exchange from the pc. Issue I'm having noone can access the company email on their phone.

Also theres a camera system that would be accessible to view from the live feed from outside the office and my boss can't access the camera. I port mapped all the custom applications and added new traffic rule from self -> outzone. It didn't work tried to add one from outzone -> self or inzone but i get a prompt stating it only accepts protocols tcp,udp, sip, h323, icmp and a few other I can't think of. I'm pulling out my hair trying to get this to work everything worked seamlessly on the netgear router and nothing was really defined just the inbound ip address of the applications and protocols that are allowed.

Lets say for reference purposes my ip addresses for internet is

internet
55.34.23.43 /24

email server
192.168.10.252 /24

web cam application
192.168.10.10 /24
8000 in
8001 out

Any help would be GREATLY appreciated.

Comments

  • ClaymooreClaymoore Member Posts: 1,637
    I assume that 'accessing company email on their phone' means using ActiveSync and Exchange. You need to make sure that 80 and 443 are allowed through the firewall from the internet to the Exchange server, and that the NAT rule points the external IP to the correct internal IP. The Exchange Remote Connectivity Analyzer is a great tool to test this:
    https://www.testexchangeconnectivity.com/

    I'm going to guess that the camera application also uses 80 or 443 for connectivity, so allow those ports and NAT that address as well.
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Yea its activesync wasn't sure if it was the right name or not as I'm not the one responsible for the servers. The server guy doesn't know squat about cisco firewalls. The camera system is on 3 ports that I defined ports ex port 2000,2001, 2500.
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    Did you set up the NAT properly?
    When you go the extra mile, there's no traffic.
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    I originally set it with 3 access list for the 3 subnets and

    ip nat inside source list 1 fa0/0 overload
    inside on all inside interfaces and outside for the internet interface

    Ah static mapping it I wouldn't have thought to do that. I looked on the cisco website and my config will look something like this :

    Or can the same result be acheived by creating static access-list

    ip nat inside source list 7 interface FastEthernet0/0 overload



    ip nat inside source static tcp 10.10.10.250 25 75.50.24.54 25 extendable -->for email

    ip nat inside source static tcp 10.10.10.250 9000 75.50.24.54 9000 extendable -->ports for cam
    ip nat inside source static tcp 10.10.10.250 9001 75.50.24.54 9001 extendable .-->ports for cam
    ip nat inside source static tcp 10.10.10.5 18004 75.50.24.54 18004 extendable -->ports for cam
    !
    access-list 7 permit 10.10.10.0 0.0.0.255
    access-list 7 permit 192.168.2.0 0.0.0.255
    access-list 7 permit 192.168.1.0 0.0.0.255


    interface FastEthernet0/0
    ip address 10.10.10.1 255.255.255.0
    duplex half
    speed 100
    !
    interface FastEthernet0/1
    ip address 75.50.24.54 255.255.255.0
    ip nat outside

    Should I add pop3 and imap also? Or smtp does the trick?
  • ClaymooreClaymoore Member Posts: 1,637
    Sounds like your server guy doesn't know squat about Exchange if he can't tell you the ports he needs. You need 25 for SMTP to receive mail from the internet, 80 and 443 for client access - ActiveSync, OWA, Outlook Anywhere, Autodiscover, Exchange Web Services.
    Exchange Network Port Reference: Exchange 2010 Help

    You need to open POP3 and IMAP ports if you have devices or clients that use them, so only you can answer that question.
  • jamesp1983jamesp1983 Member Posts: 2,475 ■■■■□□□□□□
    Claymoore wrote: »
    You need to make sure that 80 and 443 are allowed through the firewall from the internet to the Exchange server, and that the NAT rule points the external IP to the correct internal IP. The Exchange Remote Connectivity Analyzer is a great tool to test this:
    https://www.testexchangeconnectivity.com/

    That is an extremely useful tool.
    "Check both the destination and return path when a route fails." "Switches create a network. Routers connect networks."
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    It didn't work I did a sh nat translation and the static ip/ports aren't getting any hits. I tried to send an email from my exchange acct on my phone to my gmail and keep getting a cannot connect failed. The exchange site you provided kept getting a failed result. It resolved the hostname but cannot open port 443.

    CORErouter#sh ip nat translations
    Pro Inside global Inside local Outside local Outside global


    tcp x.x.x.54:25 192.168.2.250:25 --- ---
    tcp x.x.x.54:80 192.168.2.250:80 --- ---
    tcp x.x.x.54:443 192.168.2.250:443 66.87.117.181:1377 66.87.117.181:1377
    tcp x.x.x.54:443 192.168.2.250:443 66.87.117.181:3666 66.87.117.181:3666
    tcp x.x.x.54:443 192.168.2.250:443 --- ---
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    Figured it out had to define a new policy from outzone->inzone and source any to destination (my exchange server ip add)
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    dmarcisco wrote: »
    Figured it out had to define a new policy from outzone->inzone and source any to destination (my exchange server ip add)

    So you setup zbf, not the basic cbac firewall?
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
Sign In or Register to comment.