Simple ACL question?

scott.bridges · ‎07-05-2009

This is what I have.

access-list INCOMING permit tcp any host 1.2.3.251 eq 3389

access-list INCOMING permit tcp any host 1.2.3.251 eq ldap

access-list INCOMING permit tcp any host 1.2.3.251 eq www

access-list INCOMING permit tcp any host 1.2.3.251 eq https

access-list INCOMING permit tcp any host 1.2.3.251 eq 4125

access-list INCOMING permit tcp any host 1.2.3.251 eq smtp

access-list INCOMING permit tcp any host 1.2.3.251 eq pptp

access-list INCOMING permit gre any host 1.2.3.251

access-group INCOMING in interface outside

static (inside,outside) 1.2.3.251 192.168.1.5 netmask 255.255.255.255 0 0

RDP & such works fine. I'm trying to setup Postini to synch with LDAP, and am getting a connection error:

Exception while attempting to retrieve results

java.lang.RuntimeException: javax.naming.CommunicationException: 1.2.3.251:389 [Root exception is java.net.ConnectException: Connection timed out: connect]

Any ideas why LDAP (389) traffic is not getting to 192.168.1.5?

Jon Marshall · ‎07-06-2009

Scott

LDAP uses UDP as well as TCP. Try adding the following and retest -

access-list INCOMING permit udp any host 1.2.3.251 eq 389

Jon

scott.bridges · ‎07-07-2009

Update:

It looks like the ACL was correct. Our Systems guy, after further research, discovered that GC servers may use a different port than DC's. That plus another unforeseen issue with ports.

But either way, my ACL was correct.

abbzer0 · ‎07-09-2009

I would suggest you employ LDAPS as well on 636.