Simple ACL question?

Unanswered Question
Jul 5th, 2009
User Badges:

This is what I have.


access-list INCOMING permit tcp any host 1.2.3.251 eq 3389

access-list INCOMING permit tcp any host 1.2.3.251 eq ldap

access-list INCOMING permit tcp any host 1.2.3.251 eq www

access-list INCOMING permit tcp any host 1.2.3.251 eq https

access-list INCOMING permit tcp any host 1.2.3.251 eq 4125

access-list INCOMING permit tcp any host 1.2.3.251 eq smtp

access-list INCOMING permit tcp any host 1.2.3.251 eq pptp

access-list INCOMING permit gre any host 1.2.3.251

access-group INCOMING in interface outside

static (inside,outside) 1.2.3.251 192.168.1.5 netmask 255.255.255.255 0 0



RDP & such works fine. I'm trying to setup Postini to synch with LDAP, and am getting a connection error:


Exception while attempting to retrieve results

java.lang.RuntimeException: javax.naming.CommunicationException: 1.2.3.251:389 [Root exception is java.net.ConnectException: Connection timed out: connect]




Any ideas why LDAP (389) traffic is not getting to 192.168.1.5?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 07/06/2009 - 01:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Scott


LDAP uses UDP as well as TCP. Try adding the following and retest -


access-list INCOMING permit udp any host 1.2.3.251 eq 389


Jon

scott.bridges Tue, 07/07/2009 - 16:34
User Badges:

Update:


It looks like the ACL was correct. Our Systems guy, after further research, discovered that GC servers may use a different port than DC's. That plus another unforeseen issue with ports.


But either way, my ACL was correct.

abbzer0 Thu, 07/09/2009 - 07:32
User Badges:

I would suggest you employ LDAPS as well on 636.

Actions

This Discussion