problem with asa5520 exchange access Active Directory

Unanswered Question
Aug 2nd, 2007
User Badges:


inside have a AD Server.

dmz have a exchange mail Server.

problem: service not start.

2.asa access-list allow all ip.

access-list temp permit ip any any

access-group temp in interface dmz

access-group temp in interface inside

access-group temp in interface outside Server can ping AD server.

4.AD server can ping exchange Server. Server can access AD server port 80 and AD server access exchange Server port 80.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
savgoust Thu, 08/02/2007 - 11:15
User Badges:
  • Cisco Employee,


I'm not sure what Exchange topology you use but here are the ports required for an Exchange FE - BE topology:

If you are using a front-end server in a perimeter network open TCP ports on the firewall for the protocols you are using:

80 for HTTP

143 for IMAP

110 for POP

25 for SMTP

691 for Link State Algorithm routing protocol

Open ports for Active Directory Communication:

TCP port 389 for LDAP to Directory Service

UDP port 389 for LDAP to Directory Service

TCP port 3268 for LDAP to Global Catalog Server

TCP port 88 for Kerberos authentication

UDP port 88 for Kerberos authentication

Open the ports required for access to the DNS server:

TCP port 53

UDP port 53

Open the appropriate ports for RPC communication:

TCP port 135 - RPC endpoint mapper

TCP ports 1024+ - random RPC service ports

(Optional) To limit RPCs across the intranet firewall, edit the registry on servers in the intranet to specify RPC traffic to a specific non random port. Then, open the appropriate ports on the internal firewall:

TCP port 135 ? RPC endpoint mapper

TCP port 1600 (example) ? RPC service port

If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa.

UDP port 500 ? IKE

IP protocol 51 ? AH

IP protocol 50 ? ESP

UDP port 88 and TCP port 88 ? Kerberos

Hope this helps,


wilsonyong Thu, 08/02/2007 - 21:12
User Badges:

asa config:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address X.X.X.X


interface GigabitEthernet0/1

nameif dmz

security-level 50

ip address


interface GigabitEthernet0/2

nameif inside

security-level 100

ip address


access-list temp extended permit ip any any

access-list temp extended permit icmp any any

global (outside) 1 interface

global (dmz) 1 interface

nat (dmz) 1

nat (inside) 1

static (dmz,outside) netmask dns

static (inside,dmz) netmask

tatic (dmz,inside) netmask

access-group temp in interface outside

access-group temp in interface dmz

access-group temp out interface inside

route outside X.X.X.X 1

sysopt noproxyarp inside

class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http


service-policy global_policy global

exchange ip address:

active directory ip add:

savgoust Thu, 08/02/2007 - 22:17
User Badges:
  • Cisco Employee,


Between the Exchange and the DC the NAT statement might be a problem. Try routing the traffic between them.



wilsonyong Fri, 08/03/2007 - 06:04
User Badges:

AD can access exchange 80;

exchange can access AD 80;

from cisco:

In addition, add an established command statement to permit RPC back connections

from the outside host on all high ports (1024 through 65535) to deliver mail:

"established tcp 135 permitto tcp 1024-65535"

what's means?


This Discussion