Showing results for 
Search instead for 
Did you mean: 

Odd behavior of ACL?

Michael Couture

I have a Cisco 2921 on the Edge with an ASA 5505 on the inside. Up until Friday all IPHONEs were able to access email with no problem. All of a sudden they are unable to access the email. If I add an ACL to the outside interface it works again. The part I do not understand is that I can make it any permit statement and it works even though it has nothing to do with port 443.

For example if I added:

ip access-list extended OUTSIDE_ACESS_IN

permit tcp any host eq 3389

and then assign it on the in direction to the outside interface.

The IPHONEs are once again able to retrieve email from the Exchange server even though that access list is pointing remote access to the remote access server. I can make it any access list I want and active sync will work again but the minute I remove the ACL it stops again. The only changes that were made since Friday, is that I enabled Netflow.


Michael Couture

I figured it out, it had not thing to do with the ACL. I did not notice that when I applied the ACL it shut down the connection. IP Sla was not able to pass its ICMP packets, causing the interface to shut down and bring up the back up interface. The problem was with the way the DNS records were setup. DNS was still trying to send all the active Sync mail traffic to the backup interface, which was the primary until recently.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: