Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA-5505 - IMAP4 forwarding to email server

Posted on 2009-07-03
6
Medium Priority
?
628 Views
Last Modified: 2012-05-07
Hi, i'm trying to have my blackberry to get the emails from our mailserver(not public) thru our cisco 5505 and cannot find any issue..
here's a part of the config:
ASA Version 7.2(4)
!
hostname GeodisWilson02
domain-name geodiswilson.com
enable password F4M969RI8REUCzj4 encrypted
passwd F4M969RI8REUCzj4 encrypted
names
name 194.78.X.X Outsideip
name 10.229.X.X insideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address insideip 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Outsideip 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name geodiswilson.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Wijnegem
 network-object 10.229.X.0 255.255.255.0
object-group network Brucargo
 network-object 192.168.X.0 255.255.255.0
object-group network Deurne
 network-object 192.168.X.0 255.255.255.0
object-group network Amsterdam
 network-object 10.229.X.0 255.255.255.0
 network-object 10.15.X.0 255.255.255.0
object-group network WijnegemClients
 network-object 10.229.X.0 255.255.255.0
object-group network HQ
 network-object 10.229.9.0 255.255.255.0
 network-object 10.229.4.0 255.255.255.0
access-list nonat extended permit ip object-group Wijnegem object-group WijnegemClients
access-list nonat extended permit ip object-group Amsterdam object-group WijnegemClients
access-list nonat extended permit ip object-group Brucargo object-group WijnegemClients
access-list nonat extended permit ip object-group Deurne object-group WijnegemClients
access-list nonat extended permit ip object-group HQ object-group WijnegemClients
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.15.X.X 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp
access-list outside_access_in extended deny ip any any log
access-list lan_to_VPNClients extended permit ip any object-group WijnegemClients
access-list lan_to_outside extended permit ip any any
access-list lan_to_outside extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging asdm informational
logging mail debugging
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.229.X.0 255.255.255.0
access-group lan_to_outside in interface inside
access-group outside_access_in in interface outside
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.15.X.X 255.255.255.0 10.229.X.1 1
route outside 0.0.0.0 0.0.0.0 Outsideip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:45:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.229.X.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNClientsTS esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address lan_to_VPNClients
crypto dynamic-map outside_dyn_map 20 set transform-set VPNClientsTS
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp disconnect-notify
crypto isakmp reload-wait
telnet 10.229.X.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 20
console timeout 60
management-access inside
0
Comment
Question by:eddy_gequiere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24773506
Is your blackberry on a BIS, BES, or BWC?   Or are you using a 3rd party app for email on the device?   If so, what package?  



0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24773774
Hi,

Did you tryed ssl vpn or webpn? The webpn is wery useful, you able to reach your company without any vpn client!

Try it!

Please refer this page:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html


Best Regards,
Istvan
0
 

Author Comment

by:eddy_gequiere
ID: 24792377
The blackberry is BIS with proximus.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 33

Expert Comment

by:MikeKane
ID: 24815564
You mail server is on the inside at  10.229.A.A

In order for traffic to get to this host, you need 3 things.  
1) a static mapping or port forward from outside to inside
2) an accesslist for the outside ip that will forward inside
3) apply the acl to the interface .  


Right now you have
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp

This is incorrect.    



Step 1, create the port forwards:
static (inside,outside) tcp interface 10.229.A.A 25 netmask 255.255.255.255
static (inside,outside) tcp interface 10.229.A.A  993 netmask 255.255.255.255


Step 2, create the ACL
access-list outside_access_in extended permit tcp any interface outside eq 25
access-list outside_access_in extended permit tcp any interface outside eq 993

Step 3, Add ACL to interface
access-group outside_access_in in interface outside  


With that, you now have a mapping to the internal box port 25 and imap to the interface's IP.  

You then need to create a DNS entry and MX record for the mail server, or address it by IP.  


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 1500 total points
ID: 26382653
I'm checking back on older issues.   Did all your questions get answered?
0
 

Author Closing Comment

by:eddy_gequiere
ID: 31599612
Solution works
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question