ASA 5505 LDAP Sync for GFI Max Mail Protection

Answered Question
Sep 10th, 2010

Having great trouble trying to get my online mail filtering service to sync with LDAP through the Cisco ASA 5505.

Please below for firewall entries.

access-list outside extended permit tcp host GFI1 host SMTP eq ldap

static (inside,outside) tcp SMTP ldap SERVER ldap netmask 255.255.255.255

The below error gets logged on the ASA.

Deny tcp src outside:208.70.89.81/42946 dst inside:SMTP/389 by access-group "outside" [0x0, 0x0]

Have I done something wrong or missing some config entries ?

The server is SBS2008 with LDS installed and configured.

Thank you.

S.

I have this problem too.
0 votes
Correct Answer by mirober2 about 6 years 3 months ago

Hi Stephen,

Names are only used for hosts, so they don't accept a subnet mask. In the example you provided, the ASA will try to match the packet to 208.80.78.0.

If you want to specify full subnets, you can use object-groups:

object-group network GFI1

   network-object 208.80.78.0 255.255.255.0

You'll also need to adjust your access-list to use the object-group like this:

access-list outside extended permit tcp object-group GFI1 host SMTP eq ldap

Hope that helps.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mirober2 Fri, 09/10/2010 - 07:03

Hi Stephen,

What IP address is configured assigned to the GFI1 name? You can check 'show run name | i GFI1' to see if it is configured for 208.70.89.81.

-Mike

stephenwilletts Fri, 09/10/2010 - 07:12

Mike,

I've a number of GFIx names assigned to a number of their IP ranges and all are OK.

Thanks.

S.

mirober2 Fri, 09/10/2010 - 07:14

Stephen,

But does the "outside" access list contain a rule that permits traffic sourced from 208.70.89.81 and destined to the host called SMTP on port 389? The log message you see indicates that the packet isn't matching any of the permit rules in the access list.

-Mike

stephenwilletts Fri, 09/10/2010 - 07:19

The GFI name entries are subnets and not hosts, maybe this

is the cause.

E.g. GFI1 is 208.80.78.0 for example.

Would I need to simply add a "mask" entry or is this irrelevant ?

Thanks.

S.

Correct Answer
mirober2 Fri, 09/10/2010 - 07:27

Hi Stephen,

Names are only used for hosts, so they don't accept a subnet mask. In the example you provided, the ASA will try to match the packet to 208.80.78.0.

If you want to specify full subnets, you can use object-groups:

object-group network GFI1

   network-object 208.80.78.0 255.255.255.0

You'll also need to adjust your access-list to use the object-group like this:

access-list outside extended permit tcp object-group GFI1 host SMTP eq ldap

Hope that helps.

-Mike

Actions

This Discussion