stevem200872
asked on
What am I missing to get OWA working externally?
All works fine internally but not externally?
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ov0KPyr6VORUfkdi encrypted
passwd ov0KPyr6VORUfkdi encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit gre any any
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq pptp
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any source-quench
access-list outside permit icmp any any unreachable
access-list outside permit icmp any any time-exceeded
access-list outside permit tcp any any eq ssh
access-list outside_cryptomap_dyn_20 deny ip any 192.168.1.0 255.255.255.128
access-list inside permit gre any any
access-list inside permit ip any any
access-list nat permit ip interface inside 192.168.1.0 255.255.255.0
access-list outside_access_in permit tc
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 135.196.176.X 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm reset
ip audit attack action alarm reset
ip local pool planitvpn 192.168.2.50-192.168.2.70
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 135.196.176.230 pptp 192.168.1.X pptp netmask 255.
255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.X www netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface https 192.168.1.X https netmask 255.255.
255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 135.196.176.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 213.86.132.161 255.255.255.255 outside
telnet 213.86.132.162 255.255.255.255 outside
telnet 213.86.132.163 255.255.255.255 outside
telnet 213.86.132.164 255.255.255.255 outside
telnet 82.146.133.5 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:dfad1e753b8 bdf2b39b6b 729e18c0d7 7
: end
Please help!!!
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ov0KPyr6VORUfkdi encrypted
passwd ov0KPyr6VORUfkdi encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit gre any any
access-list outside permit tcp any interface outside eq smtp
access-list outside permit tcp any interface outside eq pptp
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any source-quench
access-list outside permit icmp any any unreachable
access-list outside permit icmp any any time-exceeded
access-list outside permit tcp any any eq ssh
access-list outside_cryptomap_dyn_20 deny ip any 192.168.1.0 255.255.255.128
access-list inside permit gre any any
access-list inside permit ip any any
access-list nat permit ip interface inside 192.168.1.0 255.255.255.0
access-list outside_access_in permit tc
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 135.196.176.X 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm reset
ip audit attack action alarm reset
ip local pool planitvpn 192.168.2.50-192.168.2.70
pdm location 192.168.1.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 135.196.176.230 pptp 192.168.1.X pptp netmask 255.
255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.X www netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface https 192.168.1.X https netmask 255.255.
255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 135.196.176.225 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 213.86.132.161 255.255.255.255 outside
telnet 213.86.132.162 255.255.255.255 outside
telnet 213.86.132.163 255.255.255.255 outside
telnet 213.86.132.164 255.255.255.255 outside
telnet 82.146.133.5 255.255.255.255 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:dfad1e753b8
: end
Please help!!!
ASKER
what ? sorry I dont understand?
Your access-list allowing OWA is incorrect and does not match the access-list you have applied to your outside interface:
the acl pplied is called outside and the OWA rule you have applied is called outside_access_in
conf t
no access-list outside_access_in permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq www
write mem
Are you also using https?
If so add
access-list outside_access_in permit tcp any interface outside eq https
hth
the acl pplied is called outside and the OWA rule you have applied is called outside_access_in
conf t
no access-list outside_access_in permit tcp any interface outside eq www
access-list outside permit tcp any interface outside eq www
write mem
Are you also using https?
If so add
access-list outside_access_in permit tcp any interface outside eq https
hth
typo-------
>>Are you also using https?
If so add
access-list outside_access_in permit tcp any interface outside eq https
should be
access-list outside permit tcp any interface outside eq https
hth
>>Are you also using https?
If so add
access-list outside_access_in permit tcp any interface outside eq https
should be
access-list outside permit tcp any interface outside eq https
hth
ASKER
ok I now get your not autherised to view this page is this the rights to IIS
The PIX is now letting you through - check the access-list to confirm that your connection is correct:
Type sh access-list outside
and you should see
access-list outside permit tcp any interface outside eq www hitcnt= [number above 0]
Type sh access-list outside
and you should see
access-list outside permit tcp any interface outside eq www hitcnt= [number above 0]
ASKER
so i just need to sort out IIS to grant access ?
That command aboce says exactley what you said mate
That command aboce says exactley what you said mate
ASKER
Im getting:
You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
ASKER
you are a top man it all works fine now
Thank you so much..
Steve.
Thank you so much..
Steve.
welcome bro - glad you got working
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Get rid of that Exchange uses EHLO and PIX dont like it
got to enable mode and issue a
no fixup protocol smtp 25 (enter)
write mem (enter)