Solved

Access OWA via Ciso PIX 501

Posted on 2006-11-27
14
397 Views
Last Modified: 2008-02-01
I have tried to set up my pix to be able to access OWA from the internet. I have tried several solutions but no luck so far.


This is my config:
Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b2WtfYSCIGoHQXcx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixie
domain-name amanninformatik.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 194.13.235.6
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host XXX.XXX.XXX.XXX eq www
access-list outside_inbound_nat0_acl permit ip interface outside host 194.13.235.6
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 194.13.235.210 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.6 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.255 outside
pdm location 194.13.235.6 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 194.13.235.6
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 194.13.235.6 www netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 194.13.235.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.6 255.255.255.255 inside
telnet 194.13.235.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:24196cd08af07da05d9c3da0b34b5536
: end
[OK]

what am I doing wrong ?
0
Comment
Question by:holtis
  • 7
  • 5
  • 2
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 18019406
OK a couple of small changes


name 194.13.235.6 OWASERVER
static (inside,outside) tcp interface www OWASERVER www dns netmask 255.255.255.255 0 0
access-list outside_access_in permit tcp any interface outside eq www
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18019410
assuming 194.13.235.6 is the OWA server of course :)
0
 

Author Comment

by:holtis
ID: 18019566
thanks for your answers.

Still no luck, exactly the same behaviour.


Now the config looks like this

Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password b2WtfYSCIGoHQXcx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixie
domain-name amanninformatik.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 194.13.235.6 OWASERVER
access-list inbound permit tcp any host OWASERVER
access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host 87.102.145.213 eq www
access-list outside_inbound_nat0_acl permit ip interface outside host OWASERVER
access-list outside_access_in permit tcp any interface outside eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 194.13.235.210 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.6 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 87.102.145.213 255.255.255.255 outside
pdm location OWASERVER 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 OWASERVER
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www OWASERVER www dns netmask 255.255.255.255 0 0
access-group outside_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 194.13.235.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.6 255.255.255.255 inside
telnet 194.13.235.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
username admin password xxxxxxxxxxxxxxxxxx encrypted privilege 2
terminal width 80
Cryptochecksum:7f610b49ec7f89785c675c3325832ac1
: end
[OK]

Thanks again
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18019605
Is Exchange running though this PIX? if so Id expect to see

no fixup protocol smtp 25

not

fixup protocol smtp 25

Anyway thats not the problem you posted :)

anyway

your missing the following line

access-group inbound in interface outside
0
 

Author Comment

by:holtis
ID: 18019714
Ive add the the line above but no change at all.  Could there be something else behind this problem.

the machine is excahnge yes.

thanks for your efforts
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18020038
hang on! you have an https rule? is the OWA secured with SSL? (ie httpS://<ipaddress> )

if so you will need

static (inside,outside) tcp interface https OWASERVER https dns netmask 255.255.255.255 0 0
access-list inbound permit tcp any interface outside eq https

And you also need to let the Server out on TCP ports 80 and 443 (https)
you only have 1 OUTBOUND rule and its not applied to an interface

you are missing

access-group acl_outbound in interface inside

that applies this line you allready have (access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq www)

you will also have to let out https if your OWA is secured (if the above line IS for the OWA server then)

access-list acl_outbound permit tcp 10.1.6.0 255.255.255.0 any eq https

will do the trick



0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18020106
Couple of things that doesn't look correct, but you'll have to confirm this before we proceed on;

>>194.13.235.6 is this a free public ip address that you want to use for OWA, if so; you need to make these changes;

static(inside,outside) 194.13.235.6 <InternalExchangeSvrIP> netmask 255.255.255.255

access-list outside_in permit tcp any host 194.13.235.6 eq www (or https) (Depending on what you use)

access-list outside_in in interface outside

and most importantly you need to remove this line;

>>global (outside) 1 OWASERVER

Cheers,
Rajesh
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:holtis
ID: 18026371
Hi Folks.

I tired all of the above suggestions with out any luck, so now I have done reset of the device.

We have an external IP address: 10.0.0.1 (dummy)
The internal interface of the pix is 194.13.235.210
Our internal exchange has the ip 194.13.235.6

Finally we would like be able to access the exchange via www and https, but at the moment it dosnt matter as long as we get access.

I thougt a reset could be good way start all over again.

Could anyone write some step by step suggestion on how I should overcome this problem

I have tried a number of guides on differents sites and once I type the externalip/exchange in to my browser it makes no difference.

I very thankfull for all your help.


Result of firewall command: "write terminal"
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 194.13.235.210 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 194.13.235.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 194.13.235.211-194.13.235.242 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:3dcd9ac58bc6d882ba99aacc1e2c964e
: end
[OK]
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18026562
OK how do you access OWA internally

a. http://servername/exchange

or

b. https://servername/exchange
0
 

Author Comment

by:holtis
ID: 18026624
Both alternatives is possible at the moment.

Thanks again
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 18028725
OK we will go with SSL then

Add the following lines


name 194.13.235.6 Exchange
static (inside,outside) tcp interface https Exchange https dns netmask 255.255.255.255 0 0
access-list inbound permit tcp any interface outside eq https
access-list outbound permit ip any any
access-group inbound in interface outside
access-group outbound in interface inside

NB This allows all ports outbund - and https back in - while forwarding it to your exchange server
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18029092
You're using public ip on your internal network ?

Cheers,
Rajesh
0
 

Author Comment

by:holtis
ID: 18035290
Thanks a lot PeteLong that worked out fine.

Thanks to every one else as well for helping out
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18039206
ThanQ
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now