firewall blocking users from connecting to email server from outside the network

Unknown

Ok I need to pick some ppls brains. I set up a cisco 2811 to replace a netgear router at the office. With ccp I added a firewall on the router using the basic firewall wizard. Just about everything works internet, receiving and sending emails on exchange from the pc. Issue I'm having noone can access the company email on their phone.

Also theres a camera system that would be accessible to view from the live feed from outside the office and my boss can't access the camera. I port mapped all the custom applications and added new traffic rule from self -> outzone. It didn't work tried to add one from outzone -> self or inzone but i get a prompt stating it only accepts protocols tcp,udp, sip, h323, icmp and a few other I can't think of. I'm pulling out my hair trying to get this to work everything worked seamlessly on the netgear router and nothing was really defined just the inbound ip address of the applications and protocols that are allowed.

Lets say for reference purposes my ip addresses for internet is

internet
55.34.23.43 /24

email server
192.168.10.252 /24

web cam application
192.168.10.10 /24
8000 in
8001 out

Any help would be GREATLY appreciated.

Claymoore

I assume that 'accessing company email on their phone' means using ActiveSync and Exchange. You need to make sure that 80 and 443 are allowed through the firewall from the internet to the Exchange server, and that the NAT rule points the external IP to the correct internal IP. The Exchange Remote Connectivity Analyzer is a great tool to test this:
https://www.testexchangeconnectivity.com/

I'm going to guess that the camera application also uses 80 or 443 for connectivity, so allow those ports and NAT that address as well.

Legacy User

Yea its activesync wasn't sure if it was the right name or not as I'm not the one responsible for the servers. The server guy doesn't know squat about cisco firewalls. The camera system is on 3 ports that I defined ports ex port 2000,2001, 2500.

NotHackingYou

Did you set up the NAT properly?

Legacy User

I originally set it with 3 access list for the 3 subnets and

ip nat inside source list 1 fa0/0 overload
inside on all inside interfaces and outside for the internet interface

Ah static mapping it I wouldn't have thought to do that. I looked on the cisco website and my config will look something like this :

Or can the same result be acheived by creating static access-list

ip nat inside source list 7 interface FastEthernet0/0 overload



ip nat inside source static tcp 10.10.10.250 25 75.50.24.54 25 extendable -->for email

ip nat inside source static tcp 10.10.10.250 9000 75.50.24.54 9000 extendable -->ports for cam
ip nat inside source static tcp 10.10.10.250 9001 75.50.24.54 9001 extendable .-->ports for cam
ip nat inside source static tcp 10.10.10.5 18004 75.50.24.54 18004 extendable -->ports for cam
!
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 192.168.2.0 0.0.0.255
access-list 7 permit 192.168.1.0 0.0.0.255


interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex half
speed 100
!
interface FastEthernet0/1
ip address 75.50.24.54 255.255.255.0
ip nat outside

Should I add pop3 and imap also? Or smtp does the trick?

Claymoore

Sounds like your server guy doesn't know squat about Exchange if he can't tell you the ports he needs. You need 25 for SMTP to receive mail from the internet, 80 and 443 for client access - ActiveSync, OWA, Outlook Anywhere, Autodiscover, Exchange Web Services.
Exchange Network Port Reference: Exchange 2010 Help

You need to open POP3 and IMAP ports if you have devices or clients that use them, so only you can answer that question.

jamesp1983

Claymoore wrote: »

You need to make sure that 80 and 443 are allowed through the firewall from the internet to the Exchange server, and that the NAT rule points the external IP to the correct internal IP. The Exchange Remote Connectivity Analyzer is a great tool to test this:
https://www.testexchangeconnectivity.com/

That is an extremely useful tool.

Legacy User

It didn't work I did a sh nat translation and the static ip/ports aren't getting any hits. I tried to send an email from my exchange acct on my phone to my gmail and keep getting a cannot connect failed. The exchange site you provided kept getting a failed result. It resolved the hostname but cannot open port 443.

CORErouter#sh ip nat translations
Pro Inside global Inside local Outside local Outside global


tcp x.x.x.54:25 192.168.2.250:25 --- ---
tcp x.x.x.54:80 192.168.2.250:80 --- ---
tcp x.x.x.54:443 192.168.2.250:443 66.87.117.181:1377 66.87.117.181:1377
tcp x.x.x.54:443 192.168.2.250:443 66.87.117.181:3666 66.87.117.181:3666
tcp x.x.x.54:443 192.168.2.250:443 --- ---

Legacy User

Figured it out had to define a new policy from outzone->inzone and source any to destination (my exchange server ip add)

phoeneous

dmarcisco wrote: »

Figured it out had to define a new policy from outzone->inzone and source any to destination (my exchange server ip add)

So you setup zbf, not the basic cbac firewall?

Legacy User

Correct