Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

What am I doing wrong ?

I've been tasked with opening port 389 (LDAP) for Mimecast ingestion for our exchange server.

However, I just cannot get it to connect. I can see matches on the ACL. But the connection keeps getting refused.

 

Config is below. I've redacted it for privacy. Thanks. My config additions I have highlighthed in bold. Thanks in advance. David.

 


no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ***
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 y4syKCQM5fRqlXcSnxUFUS71iY4qdGFm00V7ZZK3Rfk
!
aaa new-model
!
!
aaa group server radius radius2
 server name RSARADIUS1
 server name RSARADIUS2
!
aaa authentication login userauthen group radius local
aaa authentication login userauthen2 group radius2 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip domain name ***
ip inspect name lan-in ftp timeout 3600
ip inspect name lan-in h323 timeout 3600
ip inspect name lan-in http timeout 3600
ip inspect name lan-in rcmd timeout 3600
ip inspect name lan-in realaudio timeout 3600
ip inspect name lan-in smtp timeout 3600
ip inspect name lan-in sqlnet timeout 3600
ip inspect name lan-in streamworks timeout 3600
ip inspect name lan-in tcp timeout 3600
ip inspect name lan-in tftp timeout 30
ip inspect name lan-in udp timeout 15
ip inspect name lan-in vdolive timeout 3600
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1707C4WW
license accept end user agreement
!
!
object-group network ***-AD-DCS
 description Internal domain controllers for DMZ access
 host 192.168.52.5
 host 192.186.76.9
 host 192.168.52.16
!
object-group service ***-AD-SERVICES
 description Group of services required to support Active Directory
 tcp-udp eq 123
 tcp-udp eq 135
 tcp-udp eq 464
 tcp-udp eq 636
 tcp-udp eq 389
 tcp-udp eq 3268
 tcp-udp eq 3269
 tcp-udp eq domain
 tcp-udp eq 88
 tcp-udp eq 445
!
object-group network ***-***ADM
 description Internal 'Access' ADM server for DMZ access
 host 192.168.52.114
!
object-group network ***-MS-SQL
 description Internal SQL Server for DMZ access
 host 192.168.52.6
!
object-group network ***-RADIUS-SERVER
 description ***RADIUS - Windows 2008 R2 RADIUS server
 host 192.168.52.22
!
object-group network ***-SMTP
 description Internal Exchange server for DMZ access
 host 192.168.52.15
!
object-group network DMZ-RDP-GP
 description Focalpoint server in DMZ zone
 host 172.20.189.10
!
object-group network EXT-MSSQL-GP
 description Microsoft SQL to hosted bing servers
 host 82.71.139.28
 host 82.71.139.29
 host 82.71.157.209
!
object-group network EXT-MYSQL-GP
 description MySQL to hosted bing servers
 host 82.71.139.26
 host 82.71.139.27
 host 82.71.157.210
!
object-group network EXT-RDP-GP
 description Remote desktop to hosted bing servers
 host 82.71.139.28
 host 82.71.139.29
 host 82.71.157.209
!
object-group network EXT-SSH-GP
 description Secure shell to hosted bing servers
 host 82.71.139.26
 host 82.71.139.27
 host 82.71.157.210
!
object-group network IBIS-CPANEL-SERVER
 description bing-hosted Ibis Trading CPanel server
 host 88.98.24.69
!
object-group network MERAKI-ACCESS-POINTS
 description Meraki Wi-Fi access points on internal LAN
 host 192.168.52.25
 host 192.168.52.26
 host 192.168.52.27
!
object-group network MERAKI-CLOUD-SERVERS
 description Meraki's cloud-based management servers
 host 46.165.246.229
 host 64.156.192.245
 host 74.50.51.16
 host 74.50.56.176
 host 184.72.22.195
 host 64.62.142.12
 host 64.62.142.2
!
object-group network MERAKI-NTP-SERVERS
 description NTP time servers for Meraki access points
 host 46.165.196.144
 host 87.98.238.185
 host 109.69.184.210
 host 193.228.143.12
 host 87.117.251.47
 host 188.165.196.93
 host 213.209.109.45
 host 78.152.160.1
 host 5.9.29.107
 host 84.2.44.19
 host 91.238.144.13
 host 192.33.96.102
!
object-group service MERAKI-PORTS-TCP
 description TCP ports required for cloud management of Wi-Fi access points
 tcp eq www
 tcp eq 443
 tcp eq 7734
 tcp eq 7752
!
object-group service MERAKI-PORTS-UDP
 description UDP ports required for Meraki cloud management of Wi-Fi access points
 udp eq 7351
!
object-group service MERAKI-RADIUS-UDP
 description UDP ports required for Meraki cloud to authenticate with RADIUS
 tcp range 1812 1813
 tcp range 1645 1646
!
object-group network NETWORK-ATTACKERS
 host 90.207.153.89
 host 2.103.29.77
 host 85.255.232.50
 host 109.152.162.83
 host 2.120.164.78
 host 46.233.116.149
 host 151.228.37.156
 host 79.64.199.143
 host 85.255.234.17
 host 82.132.233.175
 host 80.44.240.58
 host 82.132.220.11
!
object-group service SYMANTEC-WEB
 description Ports used by Symantec Endpoint Protection for updates
 tcp eq www
 tcp eq 8014
 tcp eq 443
!
object-group network dmz-subnet
 172.20.189.0 255.255.255.0
!
object-group network internal-subnet
 192.168.52.0 255.255.255.0
!
object-group network vpn-clients
 10.0.0.0 255.255.255.0
!

!
!
!
!
!
ip ssh version 2
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group VPNRADIUS
 key selection
 pool vpnpool
!
crypto isakmp client configuration group remoteclient
 key selection
 dns 192.168.52.5 192.168.52.9
 pool vpnpool
 acl split-tunnel
 netmask 255.255.255.0
!
crypto isakmp client configuration group RSAVPN
 key selection
 dns 192.168.52.5 192.168.52.9
 pool vpnpool
 acl split-tunnel
 netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map dymap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen2
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dymap
!
!
!
!
!
interface FastEthernet0
 description L2 interface for LAN
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 description L2 interface for DMZ
 switchport access vlan 20
 no ip address
!
interface FastEthernet2
 switchport access vlan 20
 no ip address
!
interface FastEthernet3
 switchport access vlan 10
 no ip address
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 no ip address
!
interface Vlan10
 description LAN Interface
 ip address 192.168.52.3 255.255.255.0
 ip nat inside
 ip inspect lan-in in
 ip virtual-reassembly in
 standby use-bia
 standby 1 ip 192.168.52.1
 standby 1 preempt
 standby 2 ip 192.168.52.2
 standby 2 priority 50
 standby 2 preempt
!
interface Vlan20
 description DMZ Interface
 ip address 172.20.189.3 255.255.255.0
 ip nat inside
 ip inspect lan-in in
 ip virtual-reassembly in
 standby use-bia
 standby 3 ip 172.20.189.1
 standby 3 priority 50
 standby 3 preempt
!
interface Dialer0
 mtu 1492
 ip address 72.54.251.173 255.255.255.248
 ip access-group outside_in in
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 
 ppp ipcp dns request
 ppp ipcp route default
 crypto map clientmap
!
ip local pool vpnpool 10.0.0.1 10.0.0.127
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list no-nat interface Dialer0 overload
ip nat inside source static 172.20.189.10 72.54.251.170 route-map NONAT
ip nat inside source static 192.168.52.15 72.54.251.172 route-map NONAT2
ip route 0.0.0.0 0.0.0.0 72.54.251.174
ip route 0.0.0.0 0.0.0.0 192.168.52.4 254
ip route 172.20.189.0 255.255.255.0 192.168.52.4 254
!
ip access-list extended dmz-2-in
 remark traffic to vPN
 permit ip any 10.0.0.0 0.0.0.255
 remark Allow HSRP
 permit udp any any eq 1985
 permit tcp host 172.20.189.10 any eq www
 permit tcp host 172.20.189.10 any eq 443
 permit tcp host 172.20.189.10 any eq 3389
 permit icmp any any echo-reply
 permit tcp host 172.20.189.10 object-group ***-MS-SQL eq 1433
 permit tcp host 172.20.189.10 object-group ***-SMTP eq smtp
 permit object-group ***-AD-SERVICES host 172.20.189.10 object-group ***-AD-DCS
 permit tcp host 172.20.189.10 object-group ***-AD-DCS range 49152 65535
 permit object-group SYMANTEC-WEB host 172.20.189.10 host 192.168.52.16
 permit tcp host 172.20.189.10 object-group ***-***ADM eq www
 deny   ip any any log

ip access-list extended inside-in
 remark Allow HSRP
 permit udp any any eq 1985
 permit icmp 192.168.52.0 0.0.0.255 any
 remark Following line grants access to VPN users
 permit ip 192.168.52.0 0.0.0.255 10.0.0.0 0.0.0.255
 remark actual rules
 permit ip 192.168.52.0 0.0.0.255 192.168.52.0 0.0.0.255
 permit udp 192.168.52.0 0.0.0.255 any eq domain
 permit tcp host 192.168.52.9 any eq 389
 permit tcp host 192.168.52.16 any eq 389

 permit tcp host 192.168.52.15 any
 permit tcp host 192.168.52.11 any
 permit tcp 192.168.52.0 0.0.0.255 any eq www
 permit tcp 192.168.52.0 0.0.0.255 any eq 443
 permit udp 192.168.52.0 0.0.0.255 any eq ntp
 permit udp 192.168.52.0 0.0.0.255 any eq sunrpc
 permit tcp 192.168.52.0 0.0.0.255 any eq 2116
 permit tcp 192.168.52.0 0.0.0.255 any eq 2115
 permit tcp 192.168.52.0 0.0.0.255 any range 20000 20020
 permit tcp 192.168.52.0 0.0.0.255 any eq pop3
 permit tcp 192.168.52.0 0.0.0.255 any eq ftp-data
 permit tcp 192.168.52.0 0.0.0.255 any eq ftp
 permit tcp 192.168.52.0 0.0.0.255 host 62.216.253.139 gt 49151
 permit tcp 192.168.52.0 0.0.0.255 object-group EXT-RDP-GP eq 3389
 permit tcp 192.168.52.0 0.0.0.255 object-group DMZ-RDP-GP eq 3389
 permit tcp 192.168.52.0 0.0.0.255 object-group EXT-SSH-GP eq 22
 permit tcp 192.168.52.0 0.0.0.255 object-group EXT-MYSQL-GP eq 3306
 permit tcp 192.168.52.0 0.0.0.255 object-group EXT-MSSQL-GP eq 1433
 permit ip object-group internal-subnet object-group dmz-subnet
 permit udp object-group MERAKI-ACCESS-POINTS object-group MERAKI-CLOUD-SERVERS eq 7351
 permit tcp object-group MERAKI-ACCESS-POINTS object-group MERAKI-CLOUD-SERVERS eq www
 permit tcp object-group MERAKI-ACCESS-POINTS object-group MERAKI-CLOUD-SERVERS eq 443
 permit tcp object-group MERAKI-ACCESS-POINTS object-group MERAKI-CLOUD-SERVERS eq 7734
 permit tcp object-group MERAKI-ACCESS-POINTS object-group MERAKI-CLOUD-SERVERS eq 7752
 permit udp object-group MERAKI-ACCESS-POINTS object-group MERAKI-NTP-SERVERS eq ntp
 permit tcp 192.168.52.0 0.0.0.255 object-group IBIS-CPANEL-SERVER eq 2083
 permit tcp 192.168.52.0 0.0.0.255 host 62.128.204.59 eq 7800
 deny   ip any any log
ip access-list extended no-nat
 deny   ip object-group internal-subnet object-group vpn-clients
 deny   ip object-group internal-subnet object-group dmz-subnet
 deny   ip object-group internal-subnet object-group internal-subnet
 deny   ip object-group dmz-subnet object-group internal-subnet
 deny   ip object-group dmz-subnet object-group vpn-clients
 deny   ip host 192.168.52.15 any
 permit ip object-group internal-subnet any
ip access-list extended no-nat2
 deny   ip object-group internal-subnet object-group vpn-clients
 deny   ip object-group internal-subnet object-group dmz-subnet
 deny   ip object-group internal-subnet object-group internal-subnet
 deny   ip object-group dmz-subnet object-group internal-subnet
 deny   ip object-group dmz-subnet object-group vpn-clients
 permit ip object-group internal-subnet any

ip access-list extended outside_in
 deny   ip object-group NETWORK-ATTACKERS any log
 permit icmp host 82.71.139.29 host 72.54.251.172
 permit esp any host 72.54.251.173
 permit tcp any host 72.54.251.173 eq 500
 permit udp any host 72.54.251.173 eq isakmp
 permit udp any host 72.54.251.173 eq non500-isakmp
 permit udp any host 72.54.251.173 eq 10000
 permit tcp any host 72.54.251.172 eq smtp
 permit tcp any host 72.54.251.172 eq www
 permit tcp any host 72.54.251.172 eq 443
 remark HTTPS access to Focalpoint server on DMZ interface
 permit tcp any host 72.54.251.170 eq 443
 permit udp object-group MERAKI-CLOUD-SERVERS object-group ***-RADIUS-SERVER range 1645 1646
 permit tcp any host 72.54.251.172 eq 389
 deny   ip any any log
ip access-list extended split-tunnel
 permit ip 192.168.52.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 172.20.189.0 0.0.0.255 10.0.0.0 0.0.0.255
!
ip radius source-interface Vlan10
ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8 source-interface FastEthernet4
 threshold 200
 frequency 10
access-list 101 permit ip 192.168.52.0 0.0.0.255 any
!
route-map NONAT permit 10
 match ip address no-nat
!
route-map NONAT2 permit 10
 match ip address no-nat2
!
!
radius server RSARADIUS1
 address ipv4 192.168.52.28 auth-port 1645 acct-port 1646
 pac key selection
!
radius server RSARADIUS2
 address ipv4 192.168.52.29 auth-port 1645 acct-port 1646
 pac key selection
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 logging synchronous
 transport input ssh
!
ntp server 192.168.52.5
!
end

 

 

 

1 REPLY
Bronze

Hello, I believe ldap also

Hello,

 

I believe ldap also uses udp as well as tcp, so it may be worth adding a line of code to permit that too.

 

HTH

 

Mike

 

 

439
Views
0
Helpful
1
Replies
CreatePlease to create content