Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2768
Views
0
Helpful
2
Replies

Configuring ASA5510 for LDAP & Mimecast

swjmckay1
Level 1
Level 1

‎08-20-2010 03:39 AM - edited ‎03-11-2019 11:28 AM

We have been moving our email filtering and archiving over to Mimecast and while the configuration for smtp has been easy, I have been struggling to get an LDAP connection to work.

I created a network object group to cover the IP ranges for Mimecast's European data centers and allow for smtp traffic.

access-list acl_out extended permit tcp object-group Mimecast_email host 193.***.***.*** eq smtp 

static (inside,outside) tcp 193.***.***.*** smtp 192.168.***.*** smtp netmask 255.255.255.255 
static (inside,outside) tcp 193.***.***.*** pop3 192.168.***.*** pop3 netmask 255.255.255.255 

I have a NAT rule set up to convert the internal IP of the AD domain controller in the same way as for Exchange



static (inside,outside) tcp 193.***.***.*** ldap 192.168.***.*** ldap netmask 255.255.255.255 

and obviously a corresponding ACL entry


access-list acl_out extended permit tcp object-group Mimecast_email eq ldap host 193.***.***.*** eq ldap

Anyway, when I try and synchronise from Mimecast I get the following error - 

ERROR|Connection Error - Active Directory login failed

There is a Mimecast login setup within our AD and it is in the correct format but when I try the synchronisation I don't even get any traffic showing on the log of the ASA

Any help or advice would be appreciated.

Many thanks,

Stuart

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-20-2010 05:33 AM

I would suggest that you check to see if you are seeing any hit count on acl_out access-list for the ldap synchronization specifically. If there is no hitcount, that means that the traffic is not even coming in towards the firewall.

You might want to check if it's probably using LDAPS instead of plain LDAP which is on a different port.

Lastly, you might want to run a packet capture on the outside interface of the ASA with ACL between the AD public ip address towards any, and the reverse to see if any packets are coming inbound towards the AD.

Hope that helps to start the troubleshooting.

0 Helpful

swjmckay1
Level 1
Level 1
In response to Jennifer Halim

‎08-26-2010 02:31 AM

Thanks for the pointers, this is where I have now got to.

Hit count is zero but our ISP had been blocking port 389 so that has now been opened up although the hit count hasn't changed.

The Mimecast config is definitely set to use port 389 and we now get the following error

4Aug 26 201009:03:1210602394.185.240.26193.130.102.99Deny tcp src outside:94.185.240.26/45514 dst inside:193.130.102.99/389 by access-group "acl_out" [0x0, 0x0]

It looks to me as though the NAT isn't functioning properly for this IP address but the exact same set up works fine for connections from Mimecast to port 25 on a different external IP.

Many thanks, Stuart

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card