Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring ASA5510 for LDAP & Mimecast

We have been moving our email filtering and archiving over to Mimecast and while the configuration for smtp has been easy, I have been struggling to get an LDAP connection to work.

I created a network object group to cover the IP ranges for Mimecast's European data centers and allow for smtp traffic.

access-list acl_out extended permit tcp object-group Mimecast_email host 193.***.***.*** eq smtp 

static (inside,outside) tcp 193.***.***.*** smtp 192.168.***.*** smtp netmask 
static (inside,outside) tcp 193.***.***.*** pop3 192.168.***.*** pop3 netmask 

I have a NAT rule set up to convert the internal IP of the AD domain controller in the same way as for Exchange

static (inside,outside) tcp 193.***.***.*** ldap 192.168.***.*** ldap netmask 

and obviously a corresponding ACL entry

access-list acl_out extended permit tcp object-group Mimecast_email eq ldap host 193.***.***.*** eq ldap

Anyway, when I try and synchronise from Mimecast I get the following error - 

ERROR|Connection Error - Active Directory login failed

There is a Mimecast login setup within our AD and it is in the correct format but when I try the synchronisation I don't even get any traffic showing on the log of the ASA

Any help or advice would be appreciated.

Many thanks,


Everyone's tags (3)
Super Bronze

Re: Configuring ASA5510 for LDAP & Mimecast

I would suggest that you check to see if you are seeing any hit count on acl_out access-list for the ldap synchronization specifically. If there is no hitcount, that means that the traffic is not even coming in towards the firewall.

You might want to check if it's probably using LDAPS instead of plain LDAP which is on a different port.

Lastly, you might want to run a packet capture on the outside interface of the ASA with ACL between the AD public ip address towards any, and the reverse to see if any packets are coming inbound towards the AD.

Hope that helps to start the troubleshooting.

New Member

Re: Configuring ASA5510 for LDAP & Mimecast

Thanks for the pointers, this is where I have now got to.

Hit count is zero but our ISP had been blocking port 389 so that has now been opened up although the hit count hasn't changed.

The Mimecast config is definitely set to use port 389 and we now get the following error

4Aug 26 201009:03:1210602394.185.240.26193.130.102.99Deny tcp src outside: dst inside: by access-group "acl_out" [0x0, 0x0]

It looks to me as though the NAT isn't functioning properly for this IP address but the exact same set up works fine for connections from Mimecast to port 25 on a different external IP.

Many thanks, Stuart