×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

blackberry and PIX 501 configuration

Unanswered Question
Jun 18th, 2006
User Badges:

Does any one have an idea how to configure the PIX 501 for Blackberry server to work with BB wireless device



name 10.0.0.54 BESServer


object-group service BESServerTCP tcp

description TCP3101

port-object eq 3101


access-list outside_access_in permit tcp any host 204.42.8.206 object-group BESServerTCP log 5



pdm location BESServer 255.255.255.255 inside


static (inside,outside) 204.42.8.206 BESServer netmask 255.255.255.255 0 0


that is what I have and it doe not work

Thank you for help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
gfullage Sun, 06/18/2006 - 17:04
User Badges:
  • Cisco Employee,

This (http://www.blackberry.com/products/wlan/sys_req.shtml) says you need TCP port 4101 open. But then there's other documents that describe the use of port 3101, so not sure there (http://www.blackberry.com/support/pdfs/TAE-00038-001-Placing_BES_Exchange_demilitarized_zone.pdf)


Your best bet to see if this is a connection issue is to enable syslogging and see if any packets on a particular port are being denied at the PIX. You can then open these up and see if that resolves the problem. To verify quickly whether it's the PIX at fault or not, just add a:


access-list outside_access_in permit ip any any


line so that you know the PIX is not blocking anything. If that resolves it then you know it's simply an access-list problem and the syslog should tell you what it is that needs to be opened. If it doesn't work after opening the PIX right up, then you know you need to look elsewhere.

For the BES to function correctly you need to allow ONLY TCP port 3101 outbound from your internal LAN i.e.


access-list inside permit tcp host any eq 3101

access-group inside in interface inside


If you are based in Europe then test from your BES server to see if you can connect to one of the Blackberry relay nodes i.e.


From your BES server (command prompt)


telnet srp.eu.blackberry.net 3101


If the above is not successful then I would suggest that you take out all your inside ACLs and test again. As you know, the PIX allows (by default) all inside connection out ? this should verify if there is a problem with your ACLs.


And also read the info provided by Glen on his post.


Hope this helps.


Jay


grant.maynard Wed, 06/21/2006 - 05:32
User Badges:
  • Silver, 250 points or more

I agree with Jay: his config is all I've ever seen for Blackberry (in EU).

I would not recommend putting "permit ip any any" on your outside ACL. A better idea would be the log keywork, e.g:

access-list outside_access_in deny ip any host 204.42.8.206 log


then it logs any hits under syslog id 106100 and they're easier to pick out the log i.e. you can do

"no logg mess 106023" to ignore background noise and still see what's getting blocked to that one IP.

Actions

This Discussion