Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

blackberry and PIX 501 configuration

Does any one have an idea how to configure the PIX 501 for Blackberry server to work with BB wireless device

name BESServer

object-group service BESServerTCP tcp

description TCP3101

port-object eq 3101

access-list outside_access_in permit tcp any host object-group BESServerTCP log 5

pdm location BESServer inside

static (inside,outside) BESServer netmask 0 0

that is what I have and it doe not work

Thank you for help

Cisco Employee

Re: blackberry and PIX 501 configuration

This ( says you need TCP port 4101 open. But then there's other documents that describe the use of port 3101, so not sure there (

Your best bet to see if this is a connection issue is to enable syslogging and see if any packets on a particular port are being denied at the PIX. You can then open these up and see if that resolves the problem. To verify quickly whether it's the PIX at fault or not, just add a:

access-list outside_access_in permit ip any any

line so that you know the PIX is not blocking anything. If that resolves it then you know it's simply an access-list problem and the syslog should tell you what it is that needs to be opened. If it doesn't work after opening the PIX right up, then you know you need to look elsewhere.


Re: blackberry and PIX 501 configuration

For the BES to function correctly you need to allow ONLY TCP port 3101 outbound from your internal LAN i.e.

access-list inside permit tcp host any eq 3101

access-group inside in interface inside

If you are based in Europe then test from your BES server to see if you can connect to one of the Blackberry relay nodes i.e.

From your BES server (command prompt)

telnet 3101

If the above is not successful then I would suggest that you take out all your inside ACLs and test again. As you know, the PIX allows (by default) all inside connection out ? this should verify if there is a problem with your ACLs.

And also read the info provided by Glen on his post.

Hope this helps.


Re: blackberry and PIX 501 configuration

I agree with Jay: his config is all I've ever seen for Blackberry (in EU).

I would not recommend putting "permit ip any any" on your outside ACL. A better idea would be the log keywork, e.g:

access-list outside_access_in deny ip any host log

then it logs any hits under syslog id 106100 and they're easier to pick out the log i.e. you can do

"no logg mess 106023" to ignore background noise and still see what's getting blocked to that one IP.

CreatePlease to create content