Cisco ASA-5505 - IMAP4 forwarding to email server
Hi, i'm trying to have my blackberry to get the emails from our mailserver(not public) thru our cisco 5505 and cannot find any issue..
here's a part of the config:
ASA Version 7.2(4)
!
hostname GeodisWilson02
domain-name geodiswilson.com
enable password F4M969RI8REUCzj4 encrypted
passwd F4M969RI8REUCzj4 encrypted
names
name 194.78.X.X Outsideip
name 10.229.X.X insideip
!
interface Vlan1
nameif inside
security-level 100
ip address insideip 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Outsideip 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name geodiswilson.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Wijnegem
network-object 10.229.X.0 255.255.255.0
object-group network Brucargo
network-object 192.168.X.0 255.255.255.0
object-group network Deurne
network-object 192.168.X.0 255.255.255.0
object-group network Amsterdam
network-object 10.229.X.0 255.255.255.0
network-object 10.15.X.0 255.255.255.0
object-group network WijnegemClients
network-object 10.229.X.0 255.255.255.0
object-group network HQ
network-object 10.229.9.0 255.255.255.0
network-object 10.229.4.0 255.255.255.0
access-list nonat extended permit ip object-group Wijnegem object-group WijnegemClients
access-list nonat extended permit ip object-group Amsterdam object-group WijnegemClients
access-list nonat extended permit ip object-group Brucargo object-group WijnegemClients
access-list nonat extended permit ip object-group Deurne object-group WijnegemClients
access-list nonat extended permit ip object-group HQ object-group WijnegemClients
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.15.X.X 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp
access-list outside_access_in extended deny ip any any log
access-list lan_to_VPNClients extended permit ip any object-group WijnegemClients
access-list lan_to_outside extended permit ip any any
access-list lan_to_outside extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging asdm informational
logging mail debugging
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.229.X.0 255.255.255.0
access-group lan_to_outside in interface inside
access-group outside_access_in in interface outside
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.15.X.X 255.255.255.0 10.229.X.1 1
route outside 0.0.0.0 0.0.0.0 Outsideip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:45:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.229.X.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNClientsTS esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address lan_to_VPNClients
crypto dynamic-map outside_dyn_map 20 set transform-set VPNClientsTS
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
crypto isakmp reload-wait
telnet 10.229.X.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 20
console timeout 60
management-access inside
here's a part of the config:
ASA Version 7.2(4)
!
hostname GeodisWilson02
domain-name geodiswilson.com
enable password F4M969RI8REUCzj4 encrypted
passwd F4M969RI8REUCzj4 encrypted
names
name 194.78.X.X Outsideip
name 10.229.X.X insideip
!
interface Vlan1
nameif inside
security-level 100
ip address insideip 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Outsideip 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name geodiswilson.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Wijnegem
network-object 10.229.X.0 255.255.255.0
object-group network Brucargo
network-object 192.168.X.0 255.255.255.0
object-group network Deurne
network-object 192.168.X.0 255.255.255.0
object-group network Amsterdam
network-object 10.229.X.0 255.255.255.0
network-object 10.15.X.0 255.255.255.0
object-group network WijnegemClients
network-object 10.229.X.0 255.255.255.0
object-group network HQ
network-object 10.229.9.0 255.255.255.0
network-object 10.229.4.0 255.255.255.0
access-list nonat extended permit ip object-group Wijnegem object-group WijnegemClients
access-list nonat extended permit ip object-group Amsterdam object-group WijnegemClients
access-list nonat extended permit ip object-group Brucargo object-group WijnegemClients
access-list nonat extended permit ip object-group Deurne object-group WijnegemClients
access-list nonat extended permit ip object-group HQ object-group WijnegemClients
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.15.X.X 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp
access-list outside_access_in extended deny ip any any log
access-list lan_to_VPNClients extended permit ip any object-group WijnegemClients
access-list lan_to_outside extended permit ip any any
access-list lan_to_outside extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging asdm informational
logging mail debugging
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.229.X.0 255.255.255.0
access-group lan_to_outside in interface inside
access-group outside_access_in in interface outside
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.15.X.X 255.255.255.0 10.229.X.1 1
route outside 0.0.0.0 0.0.0.0 Outsideip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:45:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.229.X.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNClientsTS esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address lan_to_VPNClients
crypto dynamic-map outside_dyn_map 20 set transform-set VPNClientsTS
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
crypto isakmp reload-wait
telnet 10.229.X.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 20
console timeout 60
management-access inside
MikeKane
Is your blackberry on a BIS, BES, or BWC? Or are you using a 3rd party app for email on the device? If so, what package?
Hi,
Did you tryed ssl vpn or webpn? The webpn is wery useful, you able to reach your company without any vpn client!
Try it!
Please refer this page:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html
Best Regards,
Istvan
Did you tryed ssl vpn or webpn? The webpn is wery useful, you able to reach your company without any vpn client!
Try it!
Please refer this page:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html
Best Regards,
Istvan
ASKER
The blackberry is BIS with proximus.
You mail server is on the inside at 10.229.A.A
In order for traffic to get to this host, you need 3 things.
1) a static mapping or port forward from outside to inside
2) an accesslist for the outside ip that will forward inside
3) apply the acl to the interface .
Right now you have
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp
This is incorrect.
Step 1, create the port forwards:
static (inside,outside) tcp interface 10.229.A.A 25 netmask 255.255.255.255
static (inside,outside) tcp interface 10.229.A.A 993 netmask 255.255.255.255
Step 2, create the ACL
access-list outside_access_in extended permit tcp any interface outside eq 25
access-list outside_access_in extended permit tcp any interface outside eq 993
Step 3, Add ACL to interface
access-group outside_access_in in interface outside
With that, you now have a mapping to the internal box port 25 and imap to the interface's IP.
You then need to create a DNS entry and MX record for the mail server, or address it by IP.
In order for traffic to get to this host, you need 3 things.
1) a static mapping or port forward from outside to inside
2) an accesslist for the outside ip that will forward inside
3) apply the acl to the interface .
Right now you have
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp
This is incorrect.
Step 1, create the port forwards:
static (inside,outside) tcp interface 10.229.A.A 25 netmask 255.255.255.255
static (inside,outside) tcp interface 10.229.A.A 993 netmask 255.255.255.255
Step 2, create the ACL
access-list outside_access_in extended permit tcp any interface outside eq 25
access-list outside_access_in extended permit tcp any interface outside eq 993
Step 3, Add ACL to interface
access-group outside_access_in in interface outside
With that, you now have a mapping to the internal box port 25 and imap to the interface's IP.
You then need to create a DNS entry and MX record for the mail server, or address it by IP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solution works