Access OWA via Ciso PIX 501

I have tried to set up my pix to be able to access OWA from the internet. I have tried several solutions but no luck so far.


This is my config:
Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b2WtfYSCIGoHQXcx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixie
domain-name amanninformatik.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 194.13.235.6
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host XXX.XXX.XXX.XXX eq www
access-list outside_inbound_nat0_acl permit ip interface outside host 194.13.235.6
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 194.13.235.210 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.6 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location 194.13.235.6 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 194.13.235.6
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 194.13.235.6 www netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 194.13.235.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.6 255.255.255.255 inside
telnet 194.13.235.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:24196cd08af07da05d9c3da0b34b5536
: end
[OK]

what am I doing wrong ?
holtisAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Pete LongConnect With a Mentor Technical ConsultantCommented:
OK we will go with SSL then

Add the following lines


name 194.13.235.6 Exchange
static (inside,outside) tcp interface https Exchange https dns netmask 255.255.255.255 0 0
access-list inbound permit tcp any interface outside eq https
access-list outbound permit ip any any
access-group inbound in interface outside
access-group outbound in interface inside

NB This allows all ports outbund - and https back in - while forwarding it to your exchange server
0
 
Pete LongTechnical ConsultantCommented:
OK a couple of small changes


name 194.13.235.6 OWASERVER
static (inside,outside) tcp interface www OWASERVER www dns netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any interface outside eq www
0
 
Pete LongTechnical ConsultantCommented:
assuming 194.13.235.6 is the OWA server of course :)
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
holtisAuthor Commented:
thanks for your answers.

Still no luck, exactly the same behaviour.


Now the config looks like this

Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b2WtfYSCIGoHQXcx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixie
domain-name amanninformatik.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 194.13.235.6 OWASERVER
access-list inbound permit tcp any host OWASERVER
access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host 87.102.145.213 eq www
access-list outside_inbound_nat0_acl permit ip interface outside host OWASERVER
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 194.13.235.210 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.6 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 87.102.145.213 255.255.255.255 outside
pdm location OWASERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 OWASERVER
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www OWASERVER www dns netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 194.13.235.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.6 255.255.255.255 inside
telnet 194.13.235.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:7f610b49ec7f89785c675c3325832ac1
: end
[OK]

Thanks again
0
 
Pete LongTechnical ConsultantCommented:
Is Exchange running though this PIX? if so Id expect to see

no fixup protocol smtp 25

not

fixup protocol smtp 25

Anyway thats not the problem you posted :)

anyway

your missing the following line

access-group inbound in interface outside
0
 
holtisAuthor Commented:
Ive add the the line above but no change at all.  Could there be something else behind this problem.

the machine is excahnge yes.

thanks for your efforts
0
 
Pete LongTechnical ConsultantCommented:
hang on! you have an https rule? is the OWA secured with SSL? (ie httpS://<ipaddress> )

if so you will need

static (inside,outside) tcp interface https OWASERVER https dns netmask 255.255.255.255 0 0
access-list inbound permit tcp any interface outside eq https

And you also need to let the Server out on TCP ports 80 and 443 (https)
you only have 1 OUTBOUND rule and its not applied to an interface

you are missing

access-group acl_outbound in interface inside

that applies this line you allready have (access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www)

you will also have to let out https if your OWA is secured (if the above line IS for the OWA server then)

access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq https

will do the trick



0
 
rsivanandanCommented:
Couple of things that doesn't look correct, but you'll have to confirm this before we proceed on;

>>194.13.235.6 is this a free public ip address that you want to use for OWA, if so; you need to make these changes;

static(inside,outside) 194.13.235.6 <InternalExchangeSvrIP> netmask 255.255.255.255

access-list outside_in permit tcp any host 194.13.235.6 eq www (or https) (Depending on what you use)

access-list outside_in in interface outside

and most importantly you need to remove this line;

>>global (outside) 1 OWASERVER

Cheers,
Rajesh
0
 
holtisAuthor Commented:
Hi Folks.

I tired all of the above suggestions with out any luck, so now I have done reset of the device.

We have an external IP address: 10.0.0.1 (dummy)
The internal interface of the pix is 194.13.235.210
Our internal exchange has the ip 194.13.235.6

Finally we would like be able to access the exchange via www and https, but at the moment it dosnt matter as long as we get access.

I thougt a reset could be good way start all over again.

Could anyone write some step by step suggestion on how I should overcome this problem

I have tried a number of guides on differents sites and once I type the externalip/exchange in to my browser it makes no difference.

I very thankfull for all your help.


Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 194.13.235.210 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 194.13.235.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 194.13.235.211-194.13.235.242 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:3dcd9ac58bc6d882ba99aacc1e2c964e
: end
[OK]
0
 
Pete LongTechnical ConsultantCommented:
OK how do you access OWA internally

a. http://servername/exchange

or

b. https://servername/exchange
0
 
holtisAuthor Commented:
Both alternatives is possible at the moment.

Thanks again
0
 
rsivanandanCommented:
You're using public ip on your internal network ?

Cheers,
Rajesh
0
 
holtisAuthor Commented:
Thanks a lot PeteLong that worked out fine.

Thanks to every one else as well for helping out
0
 
Pete LongTechnical ConsultantCommented:
ThanQ
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.