Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Enable IMAP access thru 515E

Status
Not open for further replies.
don1907

don1907

IS-IT--Management
Dec 14, 2006
33
0
0
US
I have an exchange server located at 66.173.204.zzz....I have added the following lines to the pix but get a refushed connection, when connecting to IMAP froma remote location..OWA works fine. web sites work fine

access-list acl_out permit any host 66.173.204.zzz eq imap4

access-list acl_outside permit any host 66.173.204.zzz eq imap4

access-list acl_inbound permit tcp any interface outside eq 143

What am I missing or needs to be added

Thanks



 
Sort by date Sort by votes
Do you have all three of the acl's in your config? What acl is part of the access-group that is applied to the outside interface? If it is access-list acl_inbound then try the following:

access-list acl_inbound permit tcp any host 66.173.204.zzz eq imap4



Jim W MCSE CCNA
Network Manager
 
Upvote 0 Downvote
Same error when conecting....I have attached my running config


epa515(config)# show running-config
: Saved
:
PIX Version 6.3(3)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password 5AazmePNQ8pICi2X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname epa515
domain-name eastportanalytics.com
clock timezone est -5
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network EPA_www
description All servers providing to the outside
network-object host 66.173.204.xxx
network-object host 66.173.204.zzz
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
object-group network EPA_https
description All servers providing HTTPS services to the outside
network-object host 66.173.204.xxx
network-object host 66.173.204.zzz
object-group network EPA_smtp
description All servers providing SMTP services to the outside
network-object host 66.173.204.xxx
network-object host 66.173.204.zzz
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
object-group network EPA_dns
description All servers providing DNS services to the outside
network-object host 66.173.204.xxx
network-object host 66.173.204.xxx
object-group network EPA_cavtel_dns
description Cavtel External DNS servers used for Zone Transfer
network-object host 216.220.40.xxx
network-object host 64.39.29.xxx
network-object host 216.220.40.xxx
object-group network EPA_https_real
description All servers providing HTTPS services to the outside
network-object 192.168.30.20 255.255.255.255
network-object 192.168.30.21 255.255.255.255
object-group network EPA_dns_real
description All servers providing DNS services to the outside
network-object 172.16.250.21 255.255.255.255
network-object 172.16.250.30 255.255.255.255
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host 66.173.204.zzz eq https
access-list acl_out permit tcp any host 66.173.204.zzz eq www
access-list acl_out permit tcp any host 66.173.204.zzz eq smtp
access-list acl_out permit tcp any host 66.173.204.xxx eq https
access-list acl_out permit tcp any host 66.173.204.xxx eq www
access-list acl_out permit tcp any host 66.173.204.xxx eq www
access-list acl_out permit tcp any host 66.173.204.xxx eq www
access-list acl_out permit tcp any host 66.173.204.xxx eq www
access-list acl_out permit udp any host 66.173.204.xxx eq domain
access-list acl_out permit tcp any host 66.173.204.xxx eq ftp
access-list acl_out permit tcp any host 66.173.204.zzz eq imap4
access-list acl_out permit tcp any host 66.173.204.zzz eq 993
access-list 88 permit ip 192.168.20.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.25.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.30.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.40.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 88 permit ip 192.168.20.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 88 permit ip 192.168.30.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 88 permit ip 192.168.40.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.20.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.30.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 192.168.40.0 255.255.255.0 any
access-list VPNAdmins_splitTunnelAcl permit ip 172.16.250.0 255.255.255.0 any
access-list DMZ_outbound_nat0_acl permit ip 172.16.250.0 255.255.255.0 192.168.5
.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
access-list DMZ_cryptomap_dyn_20 permit ip any 192.168.5.0 255.255.255.0
access-list VPNDmz_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any
access-list VPNDmz_splitTunnelAcl permit ip 192.168.20.0 255.255.255.0 any
access-list VPNDmz_splitTunnelAcl permit ip 192.168.30.0 255.255.255.0 any
access-list VPNDmz_splitTunnelAcl permit ip 192.168.40.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.10.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.20.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.30.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 192.168.40.0 255.255.255.0 any
access-list VPNUsers_splitTunnelAcl_1 permit ip 172.16.250.0 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_60 permit ip any 192.168.5.0 255.255.255.0
access-list DMZ_inside permit tcp host 172.16.250.20 eq 20031 host 192.168.30.21
eq 20031
access-list DMZ_inside permit udp host 172.16.250.20 eq 20031 host 192.168.30.21
eq 20031
access-list DMZ_inside permit tcp host 172.16.250.30 eq 20031 host 192.168.30.21
eq 20031
access-list DMZ_inside permit udp host 172.16.250.30 eq 20031 host 192.168.30.21
eq 20031
access-list DMZ_inside permit udp host 172.16.250.20 host 192.168.30.21 range 20
050 20070
access-list DMZ_inside permit udp host 172.16.250.30 host 192.168.30.21 range 20
050 20070
access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.21 range 20
031 20050
access-list DMZ_inside permit tcp host 172.16.250.30 host 192.168.30.21 range 20
031 20050
access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.20 eq smtp

access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.21 eq smtp

access-list DMZ_inside permit tcp host 172.16.250.20 host 192.168.30.21 eq domai
n
access-list DMZ_inside permit tcp host 172.16.250.21 host 192.168.30.21 eq domai
n
access-list DMZ_inside permit udp host 172.16.250.21 host 192.168.30.21 eq domai
n
access-list DMZ_inside permit udp host 172.16.250.21 host 64.83.1.10 eq domain
access-list DMZ_inside permit udp host 172.16.250.21 host 64.83.0.10 eq domain
access-list DMZ_inside permit ip 172.16.250.0 255.255.255.0 192.168.5.0 255.255.
255.0
access-list DMZ_inside permit ip host 172.16.250.249 host 172.16.250.1
access-list DMZ_inside permit ip host 172.16.250.250 host 172.16.250.1
access-list DMZ_inside permit ip 172.16.253.0 255.255.255.248 host 172.16.250.1

access-list DMZ_inside permit ip 172.16.253.16 255.255.255.248 host 172.16.250.1

access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.10.0 255.255
.255.0
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.20.0 255.255
.255.0
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.30.0 255.255
.255.0
access-list DMZ_inside deny ip 172.16.253.0 255.255.255.248 192.168.40.0 255.255
.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.10.0 255.25
5.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.20.0 255.25
5.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.30.0 255.25
5.255.0
access-list DMZ_inside deny ip 172.16.253.16 255.255.255.248 192.168.40.0 255.25
5.255.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.10.0 255.255.2
55.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.20.0 255.255.2
55.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.30.0 255.255.2
55.0
access-list DMZ_inside deny ip 172.16.250.0 255.255.255.0 192.168.40.0 255.255.2
55.0
access-list DMZ_inside permit ip 172.16.253.0 255.255.255.248 any
access-list DMZ_inside permit ip 172.16.253.16 255.255.255.248 any
access-list DMZ_inside permit ip 172.16.250.0 255.255.255.0 any
access-list VPNConsult_splitTunnelAcl_1 permit ip 192.168.10.0 255.255.255.0 any

access-list VPNConsult_splitTunnelAcl_1 permit ip 192.168.20.0 255.255.255.0 any

access-list VPNConsult_splitTunnelAcl_1 permit ip 192.168.40.0 255.255.255.0 any

access-list VPNConsult_splitTunnelAcl_1 permit ip 172.16.250.0 255.255.255.0 any

access-list acl_outside permit tcp any object-group EPA_ www
access-list acl_outside permit tcp any object-group EPA_https eq https
access-list acl_outside permit tcp any object-group EPA_smtp eq smtp
access-list acl_outside permit udp any object-group EPA_dns eq domain
access-list acl_outside permit tcp object-group EPA_cavtel_dns object-group EPA_
dns eq domain
access-list acl_outside permit udp object-group EPA_cavtel_dns object-group EPA_
dns eq domain
access-list acl_outside permit tcp any host 66.173.204.xxx eq ftp
access-list 109 permit tcp any object-group EPA_dns eq domain
access-list 109 permit udp any object-group EPA_dns eq domain
access-list Acl_Outside permit tcp any host 66.173.204.zzz eq imap4
access-list acl_inbound permit tcp any interface outside eq imap4
access-list acl_inbound permit tcp any host 66.173.204.zzz eq imap4
pager lines 24
logging on
logging buffered errors
icmp deny any outside
icmp permit any DMZ
mtu outside 1800
mtu inside 1800
mtu DMZ 1500
ip address outside 66.173.204.xxx 255.255.255.240
ip address inside 172.16.251.2 255.255.255.252
ip address DMZ 172.16.250.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool EPANatPool 192.168.5.10-192.168.5.254
ip local pool EPAPPTP 192.168.6.10-192.168.6.254
pdm location 192.168.20.254 255.255.255.255 inside
pdm location 192.168.20.0 255.255.255.0 inside
pdm location 192.168.40.0 255.255.255.0 inside
pdm location 192.168.30.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 10.10.11.100 255.255.255.255 outside
pdm location 172.16.250.20 255.255.255.255 DMZ
pdm location 24.53.142.70 255.255.255.255 outside
pdm location 192.168.25.0 255.255.255.0 inside
pdm location 192.168.30.0 255.255.255.0 inside
pdm location 192.168.40.19 255.255.255.255 inside
pdm location 192.168.25.20 255.255.255.255 inside
pdm location 192.168.30.21 255.255.255.255 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 172.16.250.21 255.255.255.255 DMZ
pdm location 172.16.250.22 255.255.255.255 DMZ
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 207.196.42.0 255.255.255.0 outside
pdm location 207.196.62.0 255.255.255.0 outside
pdm location 192.168.40.18 255.255.255.255 inside
pdm location 172.16.250.30 255.255.255.255 DMZ
pdm location 172.16.250.31 255.255.255.255 DMZ
pdm location 172.16.250.32 255.255.255.255 DMZ
pdm location 172.16.250.249 255.255.255.255 DMZ
pdm location 172.16.250.250 255.255.255.255 DMZ
pdm location 172.16.253.0 255.255.255.248 DMZ
pdm location 172.16.253.16 255.255.255.248 DMZ
pdm location 64.39.29.212 255.255.255.255 outside
pdm location 216.220.40.243 255.255.255.255 outside
pdm location 216.220.40.250 255.255.255.255 outside
pdm group EPA_https_real inside
pdm group EPA_dns_real DMZ
pdm group EPA_https outside reference EPA_https_real
pdm group EPA_dns outside reference EPA_dns_real
pdm group EPA_cavtel_dns outside
pdm history enable
arp timeout 14400
global (outside) 1 66.173.204.xxx netmask 255.255.255.240
global (outside) 2 66.173.204.xxx netmask 255.255.255.240
nat (inside) 0 access-list 88
nat (inside) 2 192.168.10.0 255.255.255.0 0 0
nat (inside) 2 192.168.20.0 255.255.255.0 0 0
nat (inside) 2 192.168.30.0 255.255.255.0 0 0
nat (inside) 1 192.168.40.0 255.255.255.0 0 0
nat (DMZ) 0 access-list DMZ_outbound_nat0_acl
nat (DMZ) 1 172.16.250.0 255.255.255.0 0 0
static (DMZ,outside) tcp 66.173.204.xxx 8784 netmask 255.255.2
55.255 0 0
static (DMZ,outside) tcp 66.173.204.xxx smtp 172.16.250.20 smtp netmask 255.255.
255.255 0 0
static (inside,outside) 66.173.204.xxx 192.168.30.20 netmask 255.255.255.255 0 0

static (inside,DMZ) 192.168.40.0 192.168.40.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 0 0
static (DMZ,inside) 172.16.250.0 172.16.250.0 netmask 255.255.255.0 0 0
static (DMZ,outside) 66.173.204.zzz 172.16.250.21 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.173.204.xxx 172.16.250.22 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.173.204.xxx 172.16.250.30 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.173.204.xxx 172.16.250.31 netmask 255.255.255.255 0 0
static (DMZ,outside) 66.173.204.xxx 172.16.250.32 netmask 255.255.255.255 0 0
static (inside,outside) 66.173.204.zzz 192.168.30.21 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside
access-group DMZ_inside in interface DMZ
route outside 0.0.0.0 0.0.0.0 66.173.204.xxx 1
route inside 192.168.0.0 255.255.0.0 172.16.251.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 3:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server EPA-RADIUS protocol radius
aaa-server EPA-RADIUS (inside) host 192.168.30.21 p1xrad1u5 timeout 10
aaa authentication ssh console LOCAL
http server enable
http 24.53.142.70 255.255.255.255 outside
http 207.196.42.0 255.255.255.0 outside
http 207.196.62.0 255.255.255.0 outside
http 192.168.40.19 255.255.255.255 inside
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.40.19 /cisco/pix/
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map DMZ_dyn_map 20 match address DMZ_cryptomap_dyn_20
crypto dynamic-map DMZ_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication EPA-RADIUS
crypto map outside_map interface outside
crypto map DMZ_map 65535 ipsec-isakmp dynamic DMZ_dyn_map
crypto map DMZ_map client authentication EPA-RADIUS
crypto map DMZ_map interface DMZ
crypto map ouside_map client configuration address initiate
crypto map ouside_map client configuration address respond
isakmp enable outside
isakmp enable DMZ
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPNAdmins address-pool EPANatPool
vpngroup VPNAdmins dns-server 192.168.30.20 192.168.30.21
vpngroup VPNAdmins wins-server 192.168.30.20 192.168.30.21
vpngroup VPNAdmins default-domain eastportanalytics.com
vpngroup VPNAdmins split-tunnel VPNAdmins_splitTunnelAcl
vpngroup VPNAdmins pfs
vpngroup VPNAdmins idle-time 1800
vpngroup VPNAdmins password ********
vpngroup VPNUsers address-pool EPANatPool
vpngroup VPNUsers dns-server 192.168.30.20 192.168.30.21
vpngroup VPNUsers wins-server 192.168.30.20 192.168.30.21
vpngroup VPNUsers default-domain eastportanalytics.com
vpngroup VPNUsers split-tunnel VPNUsers_splitTunnelAcl_1
vpngroup VPNUsers idle-time 1800
vpngroup VPNUsers password ********
vpngroup VPNDmz address-pool EPANatPool
vpngroup VPNDmz dns-server 192.168.30.20 192.168.30.21
vpngroup VPNDmz wins-server 192.168.30.20 192.168.30.21
vpngroup VPNDmz default-domain eastportanalytics.com
vpngroup VPNDmz split-tunnel VPNDmz_splitTunnelAcl
vpngroup VPNDmz idle-time 1800
vpngroup VPNDmz password ********
vpngroup VPNConsult address-pool EPANatPool
vpngroup VPNConsult dns-server 192.168.30.20 192.168.30.21
vpngroup VPNConsult wins-server 192.168.30.20 192.168.30.21
vpngroup VPNConsult default-domain eastportanalytics.com
vpngroup VPNConsult split-tunnel VPNConsult_splitTunnelAcl_1
vpngroup VPNConsult idle-time 1800
vpngroup VPNConsult password ********
telnet timeout 5
ssh 24.53.142.70 255.255.255.255 outside
ssh 207.196.42.0 255.255.255.0 outside
ssh 207.196.62.0 255.255.255.0 outside
ssh 192.168.40.19 255.255.255.255 inside
ssh 192.168.40.18 255.255.255.255 inside
ssh 192.168.30.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local EPAPPTP
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.30.20 192.168.30.21
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.30.20 192.168.30.21

vpdn group PPTP-VPDN-GROUP client authentication aaa EPA-RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn username krislocal password *********
vpdn username mark password *********
vpdn enable outside
username pwherry password yMrlb7CTm2FgGo/c encrypted privilege 15
username emmettk password sAL0w4P0sIQYI/Vu encrypted privilege 15
username dhammond password MlcQgCHOwjYegMdh encrypted privilege 15
terminal width 80
Cryptochecksum:5838d6df194418fa7481fd775456bfb3
: end
epa515(config)#
 
Upvote 0 Downvote
You have an acl "acl_inbound" that is not applied to any interface....so those can be removed. I think the following should get you going.

Remove:

access-list acl_inbound permit tcp any interface outside eq imap4
access-list acl_inbound permit tcp any host 66.173.204.zzz eq imap4
access-list acl_out permit tcp any host 66.173.204.zzz eq imap4
access-list acl_out permit tcp any host 66.173.204.zzz eq 993

Keep:

access-list acl_Outside permit tcp any host 66.173.204.zzz eq imap4

Add:

access-list acl_Outside permit tcp any host 66.173.204.zzz eq 993

Hope this helps.



Jim W MCSE CCNA
Network Manager
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
277
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
71
gbayi_omo
gbayi_omo
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
51
quazimotto
quazimotto
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
69
kythri
kythri
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
69
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top