?
Solved

What am I missing to get OWA working externally?

Posted on 2006-04-24
11
Medium Priority
?
186 Views
Last Modified: 2010-04-09
All works fine internally but not externally?

PIX Version 6.3(4)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password ov0KPyr6VORUfkdi encrypted                                          
passwd ov0KPyr6VORUfkdi encrypted                                
hostname pixfirewall                    
domain-name ciscopix.com                        
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol pptp 1723                        
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
access-list outside permit gre any any                                      
access-list outside permit tcp any interface outside eq smtp                                                            
access-list outside permit tcp any interface outside eq pptp                                                            
access-list outside permit icmp any any echo-reply                                                  
access-list outside permit icmp any any source-quench                                                    
access-list outside permit icmp any any unreachable                                                  
access-list outside permit icmp any any time-exceeded                                                    
access-list outside permit tcp any any eq ssh                                            
access-list outside_cryptomap_dyn_20 deny ip any 192.168.1.0 255.255.255.128                                                                            
access-list inside permit gre any any                                    
access-list inside permit ip any any                                    
access-list nat permit ip interface inside 192.168.1.0 255.255.255.0                                                                    
access-list outside_access_in permit tc                                    
access-list outside_access_in permit tcp any interface outside eq www                                                                    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 135.196.176.X 255.255.255.224                                                  
ip address inside 192.168.1.1 255.255.255.0                                          
ip audit info action alarm reset                                
ip audit attack action alarm reset                                  
ip local pool planitvpn 192.168.2.50-192.168.2.70                                                
pdm location 192.168.1.0 255.255.255.0 inside                                            
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list nat                              
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
static (inside,outside) tcp 135.196.176.230 pptp 192.168.1.X pptp netmask 255.                                                                                
255.255.255 0 0              
static (inside,outside) tcp interface www 192.168.1.X www netmask 255.255.255.                                                                                
255 0 0      
static (inside,outside) tcp interface https 192.168.1.X https netmask 255.255.                                                                                
255.255 0 0          
access-group outside in interface outside                                        
access-group inside in interface inside                                      
route outside 0.0.0.0 0.0.0.0 135.196.176.225 1                                              
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00                                                  
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 213.86.132.161 255.255.255.255 outside
telnet 213.86.132.162 255.255.255.255 outside
telnet 213.86.132.163 255.255.255.255 outside
telnet 213.86.132.164 255.255.255.255 outside
telnet 82.146.133.5 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:dfad1e753b8bdf2b39b6b729e18c0d77
: end

Please help!!!
0
Comment
Question by:stevem200872
  • 5
  • 5
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 16523418
>>fixup protocol smtp 25    

Get rid of that Exchange uses EHLO and PIX dont like it

got to enable mode and issue a

no fixup protocol smtp 25  (enter)
write mem (enter)
0
 

Author Comment

by:stevem200872
ID: 16523424
what ? sorry I dont understand?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16523432
Your access-list allowing OWA is incorrect and does not match the access-list you have applied to your outside interface:
the acl pplied is called outside and the OWA rule you have applied is called outside_access_in

conf t
no access-list outside_access_in permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq www
write mem

Are you also using https?
If so add
access-list outside_access_in permit tcp any interface outside eq https

hth
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 19

Expert Comment

by:nodisco
ID: 16523435
typo-------

>>Are you also using https?
If so add
access-list outside_access_in permit tcp any interface outside eq https

should be

access-list outside permit tcp any interface outside eq https

hth
0
 

Author Comment

by:stevem200872
ID: 16523449
ok I now get your not autherised to view this page is this the rights to IIS
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16523455
The PIX is now letting you through  - check the access-list to confirm that your connection is correct:

Type sh access-list outside
and you should see
access-list outside permit tcp any interface outside eq www hitcnt= [number above 0]
0
 

Author Comment

by:stevem200872
ID: 16523465
so i just need to sort out IIS to grant access ?

That command aboce says exactley what you said mate
0
 

Author Comment

by:stevem200872
ID: 16523490
Im getting:
You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
0
 

Author Comment

by:stevem200872
ID: 16523521
you are a top man it all works fine now

Thank you so much..

Steve.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16523652
welcome bro - glad you got working
0
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 16631665
Steve - if this is working can you now close the Q?

cheers
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question