balinton
asked on
How to Publish OWA using ASA 5505
hi i am trying to publish OWA external URL using Cisco ASA 5505. Could someone please help me out with this?
tntmax
When you say publish, do you mean forward ports? You will need to forward port 443, as long as you have SSL. Otherwise, port 80. This would be to your Exchange server, unless you have a front-end/edge transport server. Will you have any security ACLs on this, or just straight port-forwarding? IE, are you restricting access?
ASKER
i would like to have my external Public IP resolve to my internal ip. So i want mail.example.com External to resolve to exchange.domain.com internal? How would this work using the CLI? All roles are on one server no edge just Hub transport, CAS and MBX. I really dont need to restrict access since you will have to authenticate to owa correct?
Right, so you are looking for the exact command line to statically translate your external to your Internal? How many IP addresses do you have? Will you need to forward port 25 for email as well? If you just want OWA, then you'd need to do this:
static (inside,outside) tcp <whatever your outside ip address> 443 <whatever your server LAN ip address is> 443 netmask 255.255.255.255
access-list OWA extended permit tcp any host <whatever your outside address is> eq 443
access-group OWA in interface outside
don't include the <>, so if your outside IP address is 11.22.33.44, then it would be: tcp 11.22.33.44 ...
The first line does the actual translation, the second and third line does the ACL to allow the traffic. Substitute 443 for 80 to open up HTTP traffic as well, and also 25 if you need to forward SMTP to that server. This assumes that you are not forwarding these ports to another server. Otherwise, you will need another IP address in your block.
static (inside,outside) tcp <whatever your outside ip address> 443 <whatever your server LAN ip address is> 443 netmask 255.255.255.255
access-list OWA extended permit tcp any host <whatever your outside address is> eq 443
access-group OWA in interface outside
don't include the <>, so if your outside IP address is 11.22.33.44, then it would be: tcp 11.22.33.44 ...
The first line does the actual translation, the second and third line does the ACL to allow the traffic. Substitute 443 for 80 to open up HTTP traffic as well, and also 25 if you need to forward SMTP to that server. This assumes that you are not forwarding these ports to another server. Otherwise, you will need another IP address in your block.
Forgot something. It needs the word "interface" in the first line. So it should instead read:
static (inside,outside) tcp interface <whatever your outside ip address> 443 <whatever your server LAN ip address is> 443 netmask 255.255.255.255
The rest of the lines don't change.
static (inside,outside) tcp interface <whatever your outside ip address> 443 <whatever your server LAN ip address is> 443 netmask 255.255.255.255
The rest of the lines don't change.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yeah, I was thinking pix originally, then had to go back and look at an ASA :-) Stupid interface, lol...
ASKER
ok Irmoore so if i use that command it will work when i go to mail.example.com? Currently if i go to that URL it directs me to SSL VPN of my ASA since that is the address it uses on the outside interface? i am using zonedit and i have an A record setup for mail.example.com pointing to that IP. I will try the above when i get home later today. I appreciate all the help from both of you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
this is sort of working now i can access the website using mail.example.com:444/owa but now i cannot get to SSL VPN since its the same address. I am going to close this and open a new question with what i am looking to fix and will post my config. This way i can award more points. Thank you both for your help!