06-18-2006 01:46 PM - edited 02-21-2020 12:58 AM
Does any one have an idea how to configure the PIX 501 for Blackberry server to work with BB wireless device
name 10.0.0.54 BESServer
object-group service BESServerTCP tcp
description TCP3101
port-object eq 3101
access-list outside_access_in permit tcp any host 204.42.8.206 object-group BESServerTCP log 5
pdm location BESServer 255.255.255.255 inside
static (inside,outside) 204.42.8.206 BESServer netmask 255.255.255.255 0 0
that is what I have and it doe not work
Thank you for help
06-18-2006 05:04 PM
This (http://www.blackberry.com/products/wlan/sys_req.shtml) says you need TCP port 4101 open. But then there's other documents that describe the use of port 3101, so not sure there (http://www.blackberry.com/support/pdfs/TAE-00038-001-Placing_BES_Exchange_demilitarized_zone.pdf)
Your best bet to see if this is a connection issue is to enable syslogging and see if any packets on a particular port are being denied at the PIX. You can then open these up and see if that resolves the problem. To verify quickly whether it's the PIX at fault or not, just add a:
access-list outside_access_in permit ip any any
line so that you know the PIX is not blocking anything. If that resolves it then you know it's simply an access-list problem and the syslog should tell you what it is that needs to be opened. If it doesn't work after opening the PIX right up, then you know you need to look elsewhere.
06-19-2006 12:02 AM
For the BES to function correctly you need to allow ONLY TCP port 3101 outbound from your internal LAN i.e.
access-list inside permit tcp host
access-group inside in interface inside
If you are based in Europe then test from your BES server to see if you can connect to one of the Blackberry relay nodes i.e.
From your BES server (command prompt)
telnet srp.eu.blackberry.net 3101
If the above is not successful then I would suggest that you take out all your inside ACLs and test again. As you know, the PIX allows (by default) all inside connection out ? this should verify if there is a problem with your ACLs.
And also read the info provided by Glen on his post.
Hope this helps.
Jay
06-21-2006 05:32 AM
I agree with Jay: his config is all I've ever seen for Blackberry (in EU).
I would not recommend putting "permit ip any any" on your outside ACL. A better idea would be the log keywork, e.g:
access-list outside_access_in deny ip any host 204.42.8.206 log
then it logs any hits under syslog id 106100 and they're easier to pick out the log i.e. you can do
"no logg mess 106023" to ignore background noise and still see what's getting blocked to that one IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide