Solved

We got VPN to work but the Boss still wants OWA to an Exchange 2003

Posted on 2006-07-13
7
350 Views
Last Modified: 2012-05-05
Well two questions how do I open up OWA without affecting this configuration and somehow I munged my enable password trying to change it after the so-called expert came in to "fix" the vpn. The old one works only through PDM and when I try to change it in PDM it says it's the wrong length.

The OWA is the most important. Thanks!



Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k32FJiM.A2fn3FtL encrypted
passwd k32FJiM.A2fn3FtL encrypted
hostname SSIFW
domain-name office.woofwoof.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list 102 permit tcp any host 10.0.0.253 eq www
access-list 102 permit icmp any any
access-list acl-inside permit tcp any any eq https
access-list inside_outbound_nat0_acl permit ip interface inside 10.1.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.1.0.0 255.255.255.0
access-list outside_cryptomap_dyn_50 permit ip any 10.1.0.0 255.255.255.0
access-list ippool permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list outside_cryptomap_dyn_70 permit ip any 10.1.0.0 255.255.255.0
access-list outside_cryptomap_dyn_90 permit ip any 10.1.0.0 255.255.255.0
access-list outside_in permit tcp any interface outside eq https
pager lines 24
logging timestamp
logging console debugging
logging trap critical
logging host inside 10.0.0.110
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside 10.0.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.0.1-10.1.0.254
pdm location 10.1.0.0 255.255.255.0 outside
pdm location 10.0.0.110 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 70 match address outside_cryptomap_dyn_70
crypto dynamic-map dynmap 70 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 90 match address outside_cryptomap_dyn_90
crypto dynamic-map dynmap 90 set transform-set ESP-3DES-MD5
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup ldsmithwa address-pool ippool
vpngroup ldsmithwa dns-server 10.0.0.253
vpngroup ldsmithwa wins-server 10.0.0.253
vpngroup ldsmithwa default-domain woofwoof.com
vpngroup ldsmithwa idle-time 1800
vpngroup ldsmithwa password ********
vpngroup karen address-pool ippool
vpngroup karen dns-server 10.0.0.253
vpngroup karen wins-server 10.0.0.253
vpngroup karen default-domain woofwoof.com
vpngroup karen idle-time 1800
vpngroup karen password ********
vpngroup alextest address-pool ippool
vpngroup alextest dns-server 10.0.0.253
vpngroup alextest wins-server 10.0.0.253
vpngroup alextest default-domain office.woofwoof.com
vpngroup alextest idle-time 1800
vpngroup alextest password ********
vpngroup davet address-pool ippool
vpngroup davet dns-server 10.0.0.253
vpngroup davet wins-server 10.0.0.253
vpngroup davet default-domain office.woofwoof.com
vpngroup davet idle-time 1800
vpngroup davet password ********
vpngroup bob address-pool ippool
vpngroup bob dns-server 10.0.0.253
vpngroup bob wins-server 10.0.0.253
vpngroup bob default-domain office.woofwoof.com
vpngroup bob idle-time 1800
vpngroup bob password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group isp request dialout pppoe
vpdn group isp localname woofwoof@verizon.net
vpdn group isp ppp authentication pap
vpdn username woofwoof@verizon.net password *********
username davet password Jp5zv7uilKwUS9bm encrypted privilege 15
username davem password XjgVlQxoEgMagReS encrypted privilege 15
username ldsmithwa password mgZTet3qjAfSSlBh encrypted privilege 15
username karen password 7m9yQo9x2asz1eXU encrypted privilege 15
username alextest password AdWRxXY1Ml4u.D16 encrypted privilege 15
username bobbreilh password klruO2Ge1kiY8fds encrypted privilege 15
terminal width 80
Cryptochecksum:dabb053708133da676de77a8e4e3fb3c
: end
[OK]
0
Comment
Question by:bamnbamn1755
  • 2
7 Comments
 
LVL 4

Expert Comment

by:supportsoft
Comment Utility
just add a https: rulle from any on the external interface NAT'ed form your public IP  to go to the internal IP of your Exchange server / OWA Server.

I dont know the syntax to do it in pix, but am sure the command is easy to do, as its a basic

Then when he is out of office he just types in

https://yourpublicip/exchange

or add a  A record to your DNS so its owa = publicip of firewall.

to give you

https://owa.woofwoof.com/exchange

Regards

Richard
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-list 102 permit tcp any host 10.0.0.253 eq www
>access-list outside_in permit tcp any interface outside eq https

You have two acls that look like initial attempts to make this work. Is 10.0.0.253 the OWA server? Assuming that it is, just add the following:

 static (inside,outside) tcp interface http 10.0.0.253 http netmask 255.255.255.255
 static (inside,outside) tcp interface https 10.0.0.253 https netmask 255.255.255.255
 no access-list 102
 access-list outside_in permit tcp any interface outside eq http
 access-group outside_in in interface outside

Done.
0
 

Author Comment

by:bamnbamn1755
Comment Utility
Thanks. I added those lines. I'm running into an issue now that the server 10.0.0.253 that is the OWA and Exchange server is no longer receiving mail from outside. Well actually I just got around to testing this since I was focused on the VPN part.


This PIX is replacing an older cheaper firewall.

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password k32FJiM.A2fn3FtL encrypted
passwd k32FJiM.A2fn3FtL encrypted
hostname SSIFW
domain-name office.strategicsol.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list acl-inside permit tcp any any eq https
access-list inside_outbound_nat0_acl permit ip interface inside 10.1.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.1.0.0 255.255.255.0
access-list outside_cryptomap_dyn_50 permit ip any 10.1.0.0 255.255.255.0
access-list ippool permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list outside_cryptomap_dyn_70 permit ip any 10.1.0.0 255.255.255.0
access-list outside_cryptomap_dyn_90 permit ip any 10.1.0.0 255.255.255.0
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq www
pager lines 24
logging timestamp
logging console debugging
logging trap critical
logging host inside 10.0.0.110
mtu outside 1500
mtu inside 1500
ip address outside 66.15.61.205 255.255.255.128
ip address inside 10.0.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.0.1-10.1.0.254
pdm location 10.1.0.0 255.255.255.0 outside
pdm location 10.0.0.110 255.255.255.255 inside
pdm location 68.86.172.25 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 10.0.0.253 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 10.0.0.253 https netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.15.61.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 50 match address outside_cryptomap_dyn_50
crypto dynamic-map dynmap 50 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 70 match address outside_cryptomap_dyn_70
crypto dynamic-map dynmap 70 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 90 match address outside_cryptomap_dyn_90
crypto dynamic-map dynmap 90 set transform-set ESP-3DES-MD5
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup ldsmithwa address-pool ippool
vpngroup ldsmithwa dns-server 10.0.0.253
vpngroup ldsmithwa wins-server 10.0.0.253
vpngroup ldsmithwa default-domain strategicsol.com
vpngroup ldsmithwa idle-time 1800
vpngroup ldsmithwa password ********
vpngroup karen address-pool ippool
vpngroup karen dns-server 10.0.0.253
vpngroup karen wins-server 10.0.0.253
vpngroup karen default-domain strategicsol.com
vpngroup karen idle-time 1800
vpngroup karen password ********
vpngroup alextest address-pool ippool
vpngroup alextest dns-server 10.0.0.253
vpngroup alextest wins-server 10.0.0.253
vpngroup alextest default-domain office.strategicsol.com
vpngroup alextest idle-time 1800
vpngroup alextest password ********
vpngroup davet address-pool ippool
vpngroup davet dns-server 10.0.0.253
vpngroup davet wins-server 10.0.0.253
vpngroup davet default-domain office.strategicsol.com
vpngroup davet idle-time 1800
vpngroup davet password ********
vpngroup bob address-pool ippool
vpngroup bob dns-server 10.0.0.253
vpngroup bob wins-server 10.0.0.253
vpngroup bob default-domain office.strategicsol.com
vpngroup bob idle-time 1800
vpngroup bob password ********
telnet 68.86.172.25 255.255.255.255 outside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group isp request dialout pppoe
vpdn group isp localname strategicsol@verizon.net
vpdn group isp ppp authentication pap
vpdn username strategicsol@verizon.net password *********
username davet password Jp5zv7uilKwUS9bm encrypted privilege 15
username davem password XjgVlQxoEgMagReS encrypted privilege 15
username ldsmithwa password mgZTet3qjAfSSlBh encrypted privilege 15
username karen password 7m9yQo9x2asz1eXU encrypted privilege 15
username alextest password AdWRxXY1Ml4u.D16 encrypted privilege 15
username bobbreilh password klruO2Ge1kiY8fds encrypted privilege 15
terminal width 80
Cryptochecksum:36a3c8ed75e3035a6d1217b2af08666d
: end
[OK]

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Your outside_in acl and your static does not have anything for smtp email..
access-list outside_in permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 10.0.0.253 smtp netmask 255.255.255.255
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now