I have a Cisco 2921 on the Edge with an ASA 5505 on the inside. Up until Friday all IPHONEs were able to access email with no problem. All of a sudden they are unable to access the email. If I add an ACL to the outside interface it works again. The part I do not understand is that I can make it any permit statement and it works even though it has nothing to do with port 443.
For example if I added:
ip access-list extended OUTSIDE_ACESS_IN
permit tcp any host 192.168.100.10 eq 3389
and then assign it on the in direction to the outside interface.
The IPHONEs are once again able to retrieve email from the Exchange server even though that access list is pointing remote access to the remote access server. I can make it any access list I want and active sync will work again but the minute I remove the ACL it stops again. The only changes that were made since Friday, is that I enabled Netflow.
I figured it out, it had not thing to do with the ACL. I did not notice that when I applied the ACL it shut down the connection. IP Sla was not able to pass its ICMP packets, causing the interface to shut down and bring up the back up interface. The problem was with the way the DNS records were setup. DNS was still trying to send all the active Sync mail traffic to the backup interface, which was the primary until recently.