Solved

Cisco ASA-5505 - IMAP4 forwarding to email server

Posted on 2009-07-03
6
609 Views
Last Modified: 2012-05-07
Hi, i'm trying to have my blackberry to get the emails from our mailserver(not public) thru our cisco 5505 and cannot find any issue..
here's a part of the config:
ASA Version 7.2(4)
!
hostname GeodisWilson02
domain-name geodiswilson.com
enable password F4M969RI8REUCzj4 encrypted
passwd F4M969RI8REUCzj4 encrypted
names
name 194.78.X.X Outsideip
name 10.229.X.X insideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address insideip 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Outsideip 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name geodiswilson.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Wijnegem
 network-object 10.229.X.0 255.255.255.0
object-group network Brucargo
 network-object 192.168.X.0 255.255.255.0
object-group network Deurne
 network-object 192.168.X.0 255.255.255.0
object-group network Amsterdam
 network-object 10.229.X.0 255.255.255.0
 network-object 10.15.X.0 255.255.255.0
object-group network WijnegemClients
 network-object 10.229.X.0 255.255.255.0
object-group network HQ
 network-object 10.229.9.0 255.255.255.0
 network-object 10.229.4.0 255.255.255.0
access-list nonat extended permit ip object-group Wijnegem object-group WijnegemClients
access-list nonat extended permit ip object-group Amsterdam object-group WijnegemClients
access-list nonat extended permit ip object-group Brucargo object-group WijnegemClients
access-list nonat extended permit ip object-group Deurne object-group WijnegemClients
access-list nonat extended permit ip object-group HQ object-group WijnegemClients
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 192.168.X.X 255.255.255.0
access-list splittunnel standard permit 10.229.X.X 255.255.255.0
access-list splittunnel standard permit 10.15.X.X 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp
access-list outside_access_in extended deny ip any any log
access-list lan_to_VPNClients extended permit ip any object-group WijnegemClients
access-list lan_to_outside extended permit ip any any
access-list lan_to_outside extended permit tcp any any
pager lines 24
logging enable
logging timestamp
logging console debugging
logging asdm informational
logging mail debugging
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.229.X.0 255.255.255.0
access-group lan_to_outside in interface inside
access-group outside_access_in in interface outside
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 192.168.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.229.X.X 255.255.255.0 10.229.X.1 1
route inside 10.15.X.X 255.255.255.0 10.229.X.1 1
route outside 0.0.0.0 0.0.0.0 Outsideip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:45:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.229.X.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNClientsTS esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address lan_to_VPNClients
crypto dynamic-map outside_dyn_map 20 set transform-set VPNClientsTS
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp disconnect-notify
crypto isakmp reload-wait
telnet 10.229.X.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 20
console timeout 60
management-access inside
0
Comment
Question by:eddy_gequiere
  • 3
  • 2
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Is your blackberry on a BIS, BES, or BWC?   Or are you using a 3rd party app for email on the device?   If so, what package?  



0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

Did you tryed ssl vpn or webpn? The webpn is wery useful, you able to reach your company without any vpn client!

Try it!

Please refer this page:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/webvpn.html


Best Regards,
Istvan
0
 

Author Comment

by:eddy_gequiere
Comment Utility
The blackberry is BIS with proximus.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
You mail server is on the inside at  10.229.A.A

In order for traffic to get to this host, you need 3 things.  
1) a static mapping or port forward from outside to inside
2) an accesslist for the outside ip that will forward inside
3) apply the acl to the interface .  


Right now you have
access-list outside_access_in extended permit tcp any eq imap4 host 10.229.A.A eq imap4
access-list outside_access_in extended permit tcp any eq smtp host 10.229.A.A eq smtp

This is incorrect.    



Step 1, create the port forwards:
static (inside,outside) tcp interface 10.229.A.A 25 netmask 255.255.255.255
static (inside,outside) tcp interface 10.229.A.A  993 netmask 255.255.255.255


Step 2, create the ACL
access-list outside_access_in extended permit tcp any interface outside eq 25
access-list outside_access_in extended permit tcp any interface outside eq 993

Step 3, Add ACL to interface
access-group outside_access_in in interface outside  


With that, you now have a mapping to the internal box port 25 and imap to the interface's IP.  

You then need to create a DNS entry and MX record for the mail server, or address it by IP.  


0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
Comment Utility
I'm checking back on older issues.   Did all your questions get answered?
0
 

Author Closing Comment

by:eddy_gequiere
Comment Utility
Solution works
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now