Solved

static (inside,outside) & Exchange

Posted on 2003-11-26
30
1,205 Views
Last Modified: 2010-04-09
hello,

i have an exchnage server and would like some members to be able to connect to there inbox via Outllook Web Access. I can access the inbox through a browser from inside the firewall but cannot when trying to access the inbox from outside of the firewall. . .

Can anyone show me or point me in the right direction as to what I might need to do inorder for those clients to have www access to the mail server through the PIX 501?

access-list acl_outside_in permit tcp any host X.X.X.X
static (inside,outside) tcp interface smtp X.X.X.X netmask 255.255.255.255 0 0

The above entrys are currently in place on the PIX, would i need to create a static list for port 80?


nubreed_

P.S thank you in advance
0
Comment
Question by:nubreed_
  • 12
  • 9
  • 9
30 Comments
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 25 total points
Comment Utility
An OWA environment is nothing more than an IIS-based Web application with an interface to the Exchange stores. Clients access the OWA site by making a request to the IIS server over port 80 (HTTP) or port 443 (HTTPS). Once the initial request has been processed, the IIS Server asks the client for authentication credentials. The OWA Server takes these credentials and attempts to authenticate the client. Once they're authenticated, clients can access their Exchange e-mail accounts
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Oh I forgot,   You would need
access-list acl_outside_in permit tcp any host x.x.x.x eq www
access-list acl_outside_in permit tcp any host x.x.x.x eq 443

Static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x 0 0
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-list acl_outside_in permit tcp any host X.X.X.X
>static (inside,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0

If those entries are already in the pix (I strongly recommend changing that access-list), then add these static NAT entries:

static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255
static (inside,outside) tcp interface 443 X.X.X.X 443 netmask 255.255.255.255

Suggest changing your acl from:
>access-list acl_outside_in permit tcp any host X.X.X.X

to lock down the ports:
access-list acl_outside_in permit tcp any host X.X.X.X eq smtp
access-list acl_outside_in permit tcp any host X.X.X.X eq www
access-list acl_outside_in permit tcp any host X.X.X.X eq 443

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Oops,  I think lrmoore is correct, I was thinking in PIX 515 code there.  
0
 

Author Comment

by:nubreed_
Comment Utility
hi MikeKane


I have no IIS server in front of my exchange box, and cannot use a DMZ as my PIX 501 does not have the capability. I have just allowed SMTP traffic to the exchangebox, is that ok? besides that, the lists you have kindly show me i shall try but do I need to add

access-list acl_outside_in permit tcp any host x.x.x.x eq www

aswell as the one i already have
access-list acl_outside_in permit tcp any host X.X.X.X

or edit the one i have to your version?

nubreed_
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
Comment Utility
I suggest that you change what you already have.

A.B.C.D = PUBLIC IP address
X.X.X.X = Private IP address

edit this script as necessary with the correct ip addresses, and you can cut/paste in the pix
!
no access-list acl_outside_in
access-list acl_outside_in permit tcp any host A.B.C.D eq smtp
access-list acl_outside_in permit tcp any host A.B.C.D eq www
access-group acl_outside_in in interface outside
!
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255
!
clear xlate
!

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Well, Outlook web access must run on a IIS as a front end since it makes use of asp pages.   You can run IIS on your exchange box which is probably what you are doing.  

Lrmoore gave you the correct coding for this app.   The lines I mistakenly sent were for a pix 515 not a 501, so use his code.    

Your IIS service that answers calls for the OWA must run on a server and thats the ip you want to specify in lrmoore script.  
0
 

Author Comment

by:nubreed_
Comment Utility
hi irmoore,


i have edited the script as suggested (thankyou) and now my PIX config looks like, well what you suggested! can i ask why i needed to change them?  does the acl_list below allow all and any traffic through the PIX?

>access-list acl_outside_in permit tcp any host X.X.X.X


nubreed_



0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes. What you had done is open yourself wide open to ALL tcp traffic inbound. Now you have restricted it to only those ports needed/wanted.

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Why would you want to allow any and all traffic through?   That completly defeats the purpose of the firewall.    Only let in the ports you need ot let in, everything else is blocked
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
However, I must add a caveat to that statement.
There are two things needed for inbound traffic. An access-list permit, and an xlate.
Since your xlate was limited to only smtp port 25, then that is essentially the only thing that can come in, so it wasn't quite as bad as it sounded.
 I just like to keep everything as clean as possible..
0
 

Author Comment

by:nubreed_
Comment Utility
MikeKane hello,

that is no problem "Oops,  I think lrmoore is correct, I was thinking in PIX 515 code there" I have now learnt also some PIX 515 capabilities. Thank you. And i think i must be running IIS on my exchange box , in fact now i think about it i am.

nubreed
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
515/501 same same. Exact same image, same commands.
The only difference is using static PAT versus static one-to-one NAT

0
 

Author Comment

by:nubreed_
Comment Utility
hi irmoore

thank you for the cool advice, that has made me feel much better about security on the PIX, especially with email! ! ! I have added the lists as suggested but my external clients still cannot get to the OWA. It just sais page cannot be displayed. I have included my PIX config an wondered if i had done this right ? ? ? going on your idea of

A.B.C.D = PUBLIC IP address
X.X.X.X = Private IP address

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inside_out permit icmp any any
access-list acl_inside_out permit tcp any any eq www
access-list acl_inside_out permit udp any any eq domain
access-list acl_inside_out permit tcp any host 80.247.0.4 eq pop3
access-list acl_inside_out permit tcp any host 80.247.0.4 eq smtp
access-list acl_inside_out permit tcp any host 212.53.85.180 eq pop3
access-list acl_inside_out permit tcp any host 212.53.85.180 eq smtp
access-list acl_inside_out permit tcp any host 212.36.99.198 eq pop3
access-list acl_inside_out permit tcp any host 212.36.99.130 eq smtp
access-list acl_inside_out permit tcp any host 194.205.58.102 eq https
access-list acl_outside_in permit tcp any host A.B.C.D eq smtp
access-list acl_outside_in permit tcp any host A.B.C.D eq www
access-list acl_outside_in permit tcp any host A.B.C.D eq https
pager lines 24
logging on
logging trap notifications
logging facility 22
logging host inside X.X.X.X
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.D 255.255.255.248
ip address inside X.X.X.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location X.X.X.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.2
55 0 0
access-group acl_outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 81.144.146.57 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http X.X.X.X 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
no sysopt route dnat
telnet X.X.X.X 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:

nubreed_
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
From the internal network, can you open http://x.x.x.x  ?    

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
I also don't see a static for port 443 .  
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The config looks fine as long as A.B.C.D actually matches on both the acl and the interface.
Did you do the "clear xlate" ?
Your acl _inside_out is not applied - on purpose?


0
 

Author Comment

by:nubreed_
Comment Utility

yes i can open OWA ie http://messageserver/exchange/mailbox/inbox from the internal network
0
 

Author Comment

by:nubreed_
Comment Utility

when you say that my acl_inside_out is not applied on purpose, im not sure what you mean? Im sorry if i am a little slow but these PIX puppies are all new to me but I LIKE EM.

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
You are logging to the inside host.   Do the logs show any inbound denied?
0
 

Author Comment

by:nubreed_
Comment Utility
MikeKane

i will look to see! thankyou
0
 

Author Comment

by:nubreed_
Comment Utility
irmoore


maybe i should apply the lists again and clear xlate. i did as instructed but used wr m inbetween

access-group acl_outside_in in interface outside &
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255

I then applied the clear xlate, would that have made a difference? Also irmoore, those exclemations you used inbetween the script:

!
no access-list acl_outside_in
access-list acl_outside_in permit tcp any host A.B.C.D eq smtp
access-list acl_outside_in permit tcp any host A.B.C.D eq www
access-group acl_outside_in in interface outside
!
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255
!
clear xlate
!

do they do anything or are they just showing spaces ?

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just space holders that get ignored..
You might even try saving the config
wri mem
and then reboot the PIX. I know you shouldn't have to, but....sometimes that's what it takes. I'm talking total power-off shutdown, wait 30 seconds, power back up.

Also, what's in front of the PIX? Is this a cable/DSL line? Is it a business line, or a consumer line? Many ISP's will block inbound port 80 on a consumer priced line. The reasoning is the fine print of the agreement (no servers)..
0
 

Author Comment

by:nubreed_
Comment Utility

its a 2MB leased line from BT. Do you think that might be the case. I will manually switch of the PIX and see what happens, its a little frustrating really as I cannot understand why I can connect from the inside bit not if i was somewhere outside? Sort of defeats the object really !

:)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are you actually trying from an outside system, or using an inside host to access the public IP ?
0
 

Author Comment

by:nubreed_
Comment Utility

i have some people in a building across the town that are trying to access the OWA service for me. i have put the link to the exchange box into an IM client so atleast that way they get it right! and they still say that they cannot connect, all they do get is the old page cannot be. . . .

These clients have a ADSL connection which is personal to them, not even the same ISP as us and not on our network. I have just called someone to sak if they can access it for me in case the users accross the town are doing something wrong.

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Dumb question,  they are using the Public IP address and not your internal address or your internal server name, right?  

You said they get the old page.   Does a refresh do anything for you
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Sounds like you're doing it the right way then...

0
 

Author Comment

by:nubreed_
Comment Utility

I have switched off the firewall from the mains and paused for 30 seconds. switchedon and still no change and the other person i have trying from hoe cannot access either.

hmmmmmm the plot thickens!
0
 

Author Comment

by:nubreed_
Comment Utility
hello hello

hang on a minute. . . . . I have used the following http://A.B.C.D/exchnage/mailbox/inbox and now they can connect! ! Da daaaaa, i was using the servers name (is that what you were getting at Mike Kane?) instead of the IP address. I think that depends on the version of OWA as i read  http://support.microsoft.com/default.aspxscid=/support/exchange/content/whitepapers/owa_tshoot.asp .

Well all is resolved and i have learned a great deal from you both! I will split the points accordingly and thank you both for your time and patience. Irmoore, can i just say "thats quite a profile you have there" .


nubreed_  :D
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now