https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508709#M611850 <HTML><HEAD></HEAD><BODY><P>The GFI name entries are subnets and not hosts, maybe this</P><P> is the cause.</P><P>E.g. GFI1 is 208.80.78.0 for example.</P><P></P><P>Would I need to simply add a "mask" entry or is this irrelevant ?</P><P></P><P>Thanks.</P><P>S.</P></BODY></HTML> Fri, 10 Sep 2010 14:19:07 GMT stephenwilletts 2010-09-10T14:19:07Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508705#M611846 <P>Having great trouble trying to get my online mail filtering service to sync with LDAP through the Cisco ASA 5505.</P><P>Please below for firewall entries.</P><P></P><P class="MsoNormal" style="margin: 0cm 0cm 10pt;"><SPAN style="color: #000000; font-size: 12pt; font-family: Calibri; ">access-list outside extended permit tcp host GFI1 host SMTP eq ldap</SPAN></P><P class="MsoNormal" style="margin: 0cm 0cm 10pt;"><SPAN style="color: #000000; font-size: 12pt; font-family: Calibri; ">static (inside,outside) tcp SMTP ldap SERVER ldap netmask 255.255.255.255</SPAN></P><P>The below error gets logged on the ASA.</P><P></P><P>Deny tcp src outside:208.70.89.81/42946 dst inside:SMTP/389 by access-group "outside" [0x0, 0x0]</P><P></P><P>Have I done something wrong or missing some config entries ?</P><P></P><P>The server is SBS2008 with LDS installed and configured.</P><P></P><P>Thank you.</P><P>S.</P> Mon, 11 Mar 2019 18:38:33 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508705#M611846 stephenwilletts 2019-03-11T18:38:33Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508706#M611847 <HTML><HEAD></HEAD><BODY><P>Hi Stephen,</P><P></P><P>What IP address is configured assigned to the GFI1 name? You can check 'show run name | i GFI1' to see if it is configured for 208.70.89.81.</P><P></P><P>-Mike</P></BODY></HTML> Fri, 10 Sep 2010 14:03:38 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508706#M611847 mirober2 2010-09-10T14:03:38Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508707#M611848 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>I've a number of GFIx names assigned to a number of their IP ranges and all are OK.</P><P></P><P>Thanks.</P><P>S.</P></BODY></HTML> Fri, 10 Sep 2010 14:12:36 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508707#M611848 stephenwilletts 2010-09-10T14:12:36Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508708#M611849 <HTML><HEAD></HEAD><BODY><P>Stephen,</P><P></P><P>But does the "outside" access list contain a rule that permits traffic sourced from 208.70.89.81 and destined to the host called SMTP on port 389? The log message you see indicates that the packet isn't matching any of the permit rules in the access list.</P><P></P><P>-Mike</P></BODY></HTML> Fri, 10 Sep 2010 14:14:35 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508708#M611849 mirober2 2010-09-10T14:14:35Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508709#M611850 <HTML><HEAD></HEAD><BODY><P>The GFI name entries are subnets and not hosts, maybe this</P><P> is the cause.</P><P>E.g. GFI1 is 208.80.78.0 for example.</P><P></P><P>Would I need to simply add a "mask" entry or is this irrelevant ?</P><P></P><P>Thanks.</P><P>S.</P></BODY></HTML> Fri, 10 Sep 2010 14:19:07 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508709#M611850 stephenwilletts 2010-09-10T14:19:07Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508710#M611851 <HTML><HEAD></HEAD><BODY><P>Hi Stephen,</P><P></P><P>Names are only used for hosts, so they don't accept a subnet mask. In the example you provided, the ASA will try to match the packet to 208.80.78.0.</P><P></P><P>If you want to specify full subnets, you can use object-groups:</P><P></P><P>object-group network GFI1</P><P>&nbsp;&nbsp; network-object 208.80.78.0 255.255.255.0</P><P></P><P>You'll also need to adjust your access-list to use the object-group like this:</P><P></P><P>access-list outside extended permit tcp object-group GFI1 host SMTP eq ldap</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Fri, 10 Sep 2010 14:27:35 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508710#M611851 mirober2 2010-09-10T14:27:35Z https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508711#M611852 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>This got it working.</P><P></P><P>Many many thanks.</P><P>S.</P></BODY></HTML> Fri, 10 Sep 2010 15:50:20 GMT https://community.cisco.com/t5/network-security/asa-5505-ldap-sync-for-gfi-max-mail-protection/m-p/1508711#M611852 stephenwilletts 2010-09-10T15:50:20Z