Solved

static (inside,outside) & Exchange

Posted on 2003-11-26
30
1,211 Views
Last Modified: 2010-04-09
hello,

i have an exchnage server and would like some members to be able to connect to there inbox via Outllook Web Access. I can access the inbox through a browser from inside the firewall but cannot when trying to access the inbox from outside of the firewall. . .

Can anyone show me or point me in the right direction as to what I might need to do inorder for those clients to have www access to the mail server through the PIX 501?

access-list acl_outside_in permit tcp any host X.X.X.X
static (inside,outside) tcp interface smtp X.X.X.X netmask 255.255.255.255 0 0

The above entrys are currently in place on the PIX, would i need to create a static list for port 80?


nubreed_

P.S thank you in advance
0
Comment
Question by:nubreed_
  • 12
  • 9
  • 9
30 Comments
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 25 total points
ID: 9825500
An OWA environment is nothing more than an IIS-based Web application with an interface to the Exchange stores. Clients access the OWA site by making a request to the IIS server over port 80 (HTTP) or port 443 (HTTPS). Once the initial request has been processed, the IIS Server asks the client for authentication credentials. The OWA Server takes these credentials and attempts to authenticate the client. Once they're authenticated, clients can access their Exchange e-mail accounts
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9825567
Oh I forgot,   You would need
access-list acl_outside_in permit tcp any host x.x.x.x eq www
access-list acl_outside_in permit tcp any host x.x.x.x eq 443

Static (inside,outside) x.x.x.x x.x.x.x netmask x.x.x.x 0 0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9825782
>access-list acl_outside_in permit tcp any host X.X.X.X
>static (inside,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0

If those entries are already in the pix (I strongly recommend changing that access-list), then add these static NAT entries:

static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255
static (inside,outside) tcp interface 443 X.X.X.X 443 netmask 255.255.255.255

Suggest changing your acl from:
>access-list acl_outside_in permit tcp any host X.X.X.X

to lock down the ports:
access-list acl_outside_in permit tcp any host X.X.X.X eq smtp
access-list acl_outside_in permit tcp any host X.X.X.X eq www
access-list acl_outside_in permit tcp any host X.X.X.X eq 443

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Expert Comment

by:MikeKane
ID: 9825818
Oops,  I think lrmoore is correct, I was thinking in PIX 515 code there.  
0
 

Author Comment

by:nubreed_
ID: 9825864
hi MikeKane


I have no IIS server in front of my exchange box, and cannot use a DMZ as my PIX 501 does not have the capability. I have just allowed SMTP traffic to the exchangebox, is that ok? besides that, the lists you have kindly show me i shall try but do I need to add

access-list acl_outside_in permit tcp any host x.x.x.x eq www

aswell as the one i already have
access-list acl_outside_in permit tcp any host X.X.X.X

or edit the one i have to your version?

nubreed_
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 9825925
I suggest that you change what you already have.

A.B.C.D = PUBLIC IP address
X.X.X.X = Private IP address

edit this script as necessary with the correct ip addresses, and you can cut/paste in the pix
!
no access-list acl_outside_in
access-list acl_outside_in permit tcp any host A.B.C.D eq smtp
access-list acl_outside_in permit tcp any host A.B.C.D eq www
access-group acl_outside_in in interface outside
!
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255
!
clear xlate
!

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9826017
Well, Outlook web access must run on a IIS as a front end since it makes use of asp pages.   You can run IIS on your exchange box which is probably what you are doing.  

Lrmoore gave you the correct coding for this app.   The lines I mistakenly sent were for a pix 515 not a 501, so use his code.    

Your IIS service that answers calls for the OWA must run on a server and thats the ip you want to specify in lrmoore script.  
0
 

Author Comment

by:nubreed_
ID: 9826139
hi irmoore,


i have edited the script as suggested (thankyou) and now my PIX config looks like, well what you suggested! can i ask why i needed to change them?  does the acl_list below allow all and any traffic through the PIX?

>access-list acl_outside_in permit tcp any host X.X.X.X


nubreed_



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826163
Yes. What you had done is open yourself wide open to ALL tcp traffic inbound. Now you have restricted it to only those ports needed/wanted.

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9826170
Why would you want to allow any and all traffic through?   That completly defeats the purpose of the firewall.    Only let in the ports you need ot let in, everything else is blocked
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826184
However, I must add a caveat to that statement.
There are two things needed for inbound traffic. An access-list permit, and an xlate.
Since your xlate was limited to only smtp port 25, then that is essentially the only thing that can come in, so it wasn't quite as bad as it sounded.
 I just like to keep everything as clean as possible..
0
 

Author Comment

by:nubreed_
ID: 9826231
MikeKane hello,

that is no problem "Oops,  I think lrmoore is correct, I was thinking in PIX 515 code there" I have now learnt also some PIX 515 capabilities. Thank you. And i think i must be running IIS on my exchange box , in fact now i think about it i am.

nubreed
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826294
515/501 same same. Exact same image, same commands.
The only difference is using static PAT versus static one-to-one NAT

0
 

Author Comment

by:nubreed_
ID: 9826301
hi irmoore

thank you for the cool advice, that has made me feel much better about security on the PIX, especially with email! ! ! I have added the lists as suggested but my external clients still cannot get to the OWA. It just sais page cannot be displayed. I have included my PIX config an wondered if i had done this right ? ? ? going on your idea of

A.B.C.D = PUBLIC IP address
X.X.X.X = Private IP address

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_inside_out permit icmp any any
access-list acl_inside_out permit tcp any any eq www
access-list acl_inside_out permit udp any any eq domain
access-list acl_inside_out permit tcp any host 80.247.0.4 eq pop3
access-list acl_inside_out permit tcp any host 80.247.0.4 eq smtp
access-list acl_inside_out permit tcp any host 212.53.85.180 eq pop3
access-list acl_inside_out permit tcp any host 212.53.85.180 eq smtp
access-list acl_inside_out permit tcp any host 212.36.99.198 eq pop3
access-list acl_inside_out permit tcp any host 212.36.99.130 eq smtp
access-list acl_inside_out permit tcp any host 194.205.58.102 eq https
access-list acl_outside_in permit tcp any host A.B.C.D eq smtp
access-list acl_outside_in permit tcp any host A.B.C.D eq www
access-list acl_outside_in permit tcp any host A.B.C.D eq https
pager lines 24
logging on
logging trap notifications
logging facility 22
logging host inside X.X.X.X
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside A.B.C.D 255.255.255.248
ip address inside X.X.X.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location X.X.X.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.2
55 0 0
access-group acl_outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 81.144.146.57 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http X.X.X.X 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment chain 1
no sysopt route dnat
telnet X.X.X.X 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:

nubreed_
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9826350
From the internal network, can you open http://x.x.x.x  ?    

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9826372
I also don't see a static for port 443 .  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826382
The config looks fine as long as A.B.C.D actually matches on both the acl and the interface.
Did you do the "clear xlate" ?
Your acl _inside_out is not applied - on purpose?


0
 

Author Comment

by:nubreed_
ID: 9826397

yes i can open OWA ie http://messageserver/exchange/mailbox/inbox from the internal network
0
 

Author Comment

by:nubreed_
ID: 9826410

when you say that my acl_inside_out is not applied on purpose, im not sure what you mean? Im sorry if i am a little slow but these PIX puppies are all new to me but I LIKE EM.

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9826414
You are logging to the inside host.   Do the logs show any inbound denied?
0
 

Author Comment

by:nubreed_
ID: 9826436
MikeKane

i will look to see! thankyou
0
 

Author Comment

by:nubreed_
ID: 9826479
irmoore


maybe i should apply the lists again and clear xlate. i did as instructed but used wr m inbetween

access-group acl_outside_in in interface outside &
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255

I then applied the clear xlate, would that have made a difference? Also irmoore, those exclemations you used inbetween the script:

!
no access-list acl_outside_in
access-list acl_outside_in permit tcp any host A.B.C.D eq smtp
access-list acl_outside_in permit tcp any host A.B.C.D eq www
access-group acl_outside_in in interface outside
!
static (inside,outside) tcp interface www X.X.X.X www netmask 255.255.255.255
!
clear xlate
!

do they do anything or are they just showing spaces ?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826530
Just space holders that get ignored..
You might even try saving the config
wri mem
and then reboot the PIX. I know you shouldn't have to, but....sometimes that's what it takes. I'm talking total power-off shutdown, wait 30 seconds, power back up.

Also, what's in front of the PIX? Is this a cable/DSL line? Is it a business line, or a consumer line? Many ISP's will block inbound port 80 on a consumer priced line. The reasoning is the fine print of the agreement (no servers)..
0
 

Author Comment

by:nubreed_
ID: 9826590

its a 2MB leased line from BT. Do you think that might be the case. I will manually switch of the PIX and see what happens, its a little frustrating really as I cannot understand why I can connect from the inside bit not if i was somewhere outside? Sort of defeats the object really !

:)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826611
Are you actually trying from an outside system, or using an inside host to access the public IP ?
0
 

Author Comment

by:nubreed_
ID: 9826636

i have some people in a building across the town that are trying to access the OWA service for me. i have put the link to the exchange box into an IM client so atleast that way they get it right! and they still say that they cannot connect, all they do get is the old page cannot be. . . .

These clients have a ADSL connection which is personal to them, not even the same ISP as us and not on our network. I have just called someone to sak if they can access it for me in case the users accross the town are doing something wrong.

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 9826679
Dumb question,  they are using the Public IP address and not your internal address or your internal server name, right?  

You said they get the old page.   Does a refresh do anything for you
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9826724
Sounds like you're doing it the right way then...

0
 

Author Comment

by:nubreed_
ID: 9826731

I have switched off the firewall from the mains and paused for 30 seconds. switchedon and still no change and the other person i have trying from hoe cannot access either.

hmmmmmm the plot thickens!
0
 

Author Comment

by:nubreed_
ID: 9826955
hello hello

hang on a minute. . . . . I have used the following http://A.B.C.D/exchnage/mailbox/inbox and now they can connect! ! Da daaaaa, i was using the servers name (is that what you were getting at Mike Kane?) instead of the IP address. I think that depends on the version of OWA as i read  http://support.microsoft.com/default.aspxscid=/support/exchange/content/whitepapers/owa_tshoot.asp .

Well all is resolved and i have learned a great deal from you both! I will split the points accordingly and thank you both for your time and patience. Irmoore, can i just say "thats quite a profile you have there" .


nubreed_  :D
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Block unwanted websites & monitor visited 8 89
info required for port scans 1 52
CLOUD SECURITY 3 78
Current Mac OS X Network Profiles and Firewall 5 78
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question