Help with cisco 1700 configuration

[newone88]

Hi,
I want to add IMAP and HTTP access to an internal server.
The current config allows mail traffic to the server

access-list 131 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 131 permit tcp any host xxx.xxx.xxx.xxx eq pop3

What will I need to do to add HTTP and IMAP access to that ip address. I want to know the exact commands that would allow me to add these services and save them to the config file.

Thanks

 

[KiscoKid]

I'm assuming you mean standard IMAP4 and not secure (over SSL) IMAP. If so, you need something like the following:

access-list 131 permit tcp any host xxx.xxx.xxx.xxx eq www
access-list 131 permit tcp any host xxx.xxx.xxx.xxx eq 143

 

[newone88]

Thanks. Yes, standard IMAP.
So from the command line (enable)
what do I need to actually write to be able to add these lines to the current config and save it?
Thanks

 

[KiscoKid]

Ah ok. Step by Step commands below (with prompts for easier identification of what mode you need to be in):

router#
router#conf t
router(config)#
router(config)#access-list 131 permit tcp any host xxx.xxx.xxx.xxx eq www
router(config)#access-list 131 permit tcp any host xxx.xxx.xxx.xxx eq 143

 

[newone88]

Thanks. So do I need to save this or not?
If I need to save it what is the command?

Thanks again.

 

[KiscoKid]

Ack forgot that bit.

To save, just type 'write mem' at the enable (#) prompt.

 

[newone88]

Thanks again.
One more thing. How can I route the external address (xxx.xxx.xxx.xxx) for HTTP and IMAP to the internal server which is at adress 192.168.1.4 ?

There is SMTP and POP access to this server from the outside but not sure how it is router internally.

 

[KiscoKid]

If the server is to be accessed from the Internet, you'll need NAT to be configured. If this is the case, let me know and I can assist if necessary.

In terms of routing to the server on 192.168.1.4, this will happen automatically if the router in question already has an interface in the 192.168.4.x network (i.e. it is the router that is the default gateway for 192.168.1.4).

If it isn't the default gateway, the router itself will need to route traffic for 192.168.1.4 to another router. You basically repeat this until all the routing is in place up to and including the router that is the default gateway for 192.168.1.4

I'm not sure if I've made that particularly clear but drop me a question if still unclear.

 

[newone88]

Thanks again KiscoKid. Below is the config file. I emoved few lines so no sensitive data get out there.

The router has xxx.xxx.xxx.xyy external ip address and 192.168.1.254 internal address

All traffic from the internal network has this eternal ip address xxx.xxx.xxx.xxy

The mail server is 192.168.1.4 and the domain server is 192.168.1.1

Thanks again, I really appreciate it.




Using 6849 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered 64000 debugging
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa authorization network vpn_users group radius
aaa session-id common
enable secret 5 $1$27gS$vfewSkuw6eOeBF0
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw smtp
ip inspect name fw realaudio
ip inspect name fw rtsp
ip inspect name fw streamworks
ip audit notify log
ip audit po max-events 100
ip cef
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 30

!
crypto isakmp client configuration group 3000client
key PKICLIENT
dns 192.168.1.4
wins 192.168.1.1
pool ourpool
acl 104
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trans1
!
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
ip nat outside
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
no fair-queue
!
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip route-cache policy
ip tcp adjust-mss 1300
ip policy route-map static
speed auto
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 131 in
ip nat outside
ip inspect fw out
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxxxxxxxxxx
crypto map intmap
!
ip local policy route-map static
ip local pool ourpool 10.2.1.1 10.2.1.254
ip nat pool internalP 10.0.0.1 10.0.0.254 prefix-length 24
ip nat inside source route-map internal pool internalP overload
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.1.4 5900 interface Dialer1 5900
ip nat inside source static udp 192.168.1.4 5900 interface Dialer1 5900
ip nat inside source static 192.168.1.1 xxx.xxx.xxx.xxy extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip pim bidir-enable
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 host xxx.xxx.xxx.xxy
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip 192.168.1.0 0.0.0.255 host xxx.xxx.xxx.xxy
access-list 113 permit ip 192.168.1.0 0.0.0.255 host xxx.xxx.xxx.xxy
access-list 113 permit ip host 192.168.1.1 10.0.0.0 0.0.0.255
access-list 131 permit esp any host xxx.xxx.xxx.xyy
access-list 131 permit udp any host xxx.xxx.xxx.xyy eq isakmp
access-list 131 permit udp any host xxx.xxx.xxx.xyy eq 4500
access-list 131 permit ip 10.2.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 131 permit tcp any host xxx.xxx.xxx.xxy eq smtp
access-list 131 permit tcp any host xxx.xxx.xxx.xxy eq pop3
access-list 131 permit tcp any host xxx.xxx.xxx.xxy eq www
access-list 131 permit tcp any host xxx.xxx.xxx.xxy eq 143
access-list 131 permit tcp any host xxx.xxx.xxx.xyy eq telnet
access-list 131 permit tcp any host 192.168.1.4 eq 5900
access-list 131 permit tcp any host 192.168.1.4 eq 5901
access-list 131 permit udp any host 192.168.1.4 eq 5900
access-list 131 permit udp any host 192.168.1.4 eq 5901
access-list 131 permit tcp any host xxx.xxx.xxx.xyy eq 5900
access-list 131 permit tcp any host xxx.xxx.xxx.xyy eq 5901
access-list 131 permit udp any host xxx.xxx.xxx.xyy eq 5900
access-list 131 permit udp any host xxx.xxx.xxx.xyy eq 5901
access-list 131 deny ip 10.0.0.0 0.255.255.255 any
access-list 131 deny ip 172.16.0.0 0.15.255.255 any
access-list 131 deny ip 192.168.0.0 0.0.255.255 any
access-list 131 deny ip 127.0.0.0 0.255.255.255 any
access-list 131 deny ip 224.0.0.0 31.255.255.255 any
access-list 131 deny ip 255.0.0.0 0.255.255.255 any
access-list 131 deny ip host 0.0.0.0 any
access-list 131 deny ip any any log
!
route-map server permit 10
match ip address 113
set ip next-hop 172.16.0.2
!
route-map internal permit 10
match ip address 112
!
route-map static permit 1
match ip address 102
set ip next-hop 1.1.1.2
!
route-map internet permit 10
match ip address 111
!
route-map nonat permit 10
match ip address 101
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 4000 1000
end

 

[newone88]

I still can't access the srver via IMAP or HTTP, any idea what should I do.
Thanks

 

[newone88]

any help?