Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
10
Helpful
3
Replies

blackberry and PIX 501 configuration

vitancris
Level 1
Level 1

‎06-18-2006 01:46 PM - edited ‎02-21-2020 12:58 AM

Does any one have an idea how to configure the PIX 501 for Blackberry server to work with BB wireless device

name 10.0.0.54 BESServer

object-group service BESServerTCP tcp

description TCP3101

port-object eq 3101

access-list outside_access_in permit tcp any host 204.42.8.206 object-group BESServerTCP log 5

pdm location BESServer 255.255.255.255 inside

static (inside,outside) 204.42.8.206 BESServer netmask 255.255.255.255 0 0

that is what I have and it doe not work

Thank you for help

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎06-18-2006 05:04 PM

This (http://www.blackberry.com/products/wlan/sys_req.shtml) says you need TCP port 4101 open. But then there's other documents that describe the use of port 3101, so not sure there (http://www.blackberry.com/support/pdfs/TAE-00038-001-Placing_BES_Exchange_demilitarized_zone.pdf)

Your best bet to see if this is a connection issue is to enable syslogging and see if any packets on a particular port are being denied at the PIX. You can then open these up and see if that resolves the problem. To verify quickly whether it's the PIX at fault or not, just add a:

access-list outside_access_in permit ip any any

line so that you know the PIX is not blocking anything. If that resolves it then you know it's simply an access-list problem and the syslog should tell you what it is that needs to be opened. If it doesn't work after opening the PIX right up, then you know you need to look elsewhere.

jmia
Level 7
Level 7

‎06-19-2006 12:02 AM

For the BES to function correctly you need to allow ONLY TCP port 3101 outbound from your internal LAN i.e.

access-list inside permit tcp host any eq 3101

access-group inside in interface inside

If you are based in Europe then test from your BES server to see if you can connect to one of the Blackberry relay nodes i.e.

From your BES server (command prompt)

telnet srp.eu.blackberry.net 3101

If the above is not successful then I would suggest that you take out all your inside ACLs and test again. As you know, the PIX allows (by default) all inside connection out ? this should verify if there is a problem with your ACLs.

And also read the info provided by Glen on his post.

Hope this helps.

Jay

grant.maynard
Level 4
Level 4

‎06-21-2006 05:32 AM

I agree with Jay: his config is all I've ever seen for Blackberry (in EU).

I would not recommend putting "permit ip any any" on your outside ACL. A better idea would be the log keywork, e.g:

access-list outside_access_in deny ip any host 204.42.8.206 log

then it logs any hits under syslog id 106100 and they're easier to pick out the log i.e. you can do

"no logg mess 106023" to ignore background noise and still see what's getting blocked to that one IP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card