[Webinar] Streamline your web hosting managementRegister Today


OWA through Cisco ASA firewall

Posted on 2008-01-30
Medium Priority
Last Modified: 2010-05-18
hello i have set up exchange OWA to use SSL on port 9876.
Internally ,it is working fine ( https://MyExchSrvr:9876/exchange )

I have set up cisco ASA 5500  to port forward port 9876 to the Exchange server.
i copied the setting which were in place for port 110 & 25.

when run the test from external  ip address for port 110 and 25  i get
TCP port 110 and 25: LISTENING                     But for port 9876 i get  

TCP port 9876     : FILTERED

i do not have much experience with ASA 5500, so i know its some setting in ASA which i have not configured properly.
Please advise
Question by:icdl101
  • 3
  • 2
LVL 12

Expert Comment

ID: 20782519
Please post ASA config

Author Comment

ID: 20782741
asdm image disk0:/asdm512-k8.bin
asdm location Exchange_Server Inside
asdm location Inside
asdm location DC Inside
asdm location Outside
asdm group Servers Inside
no asdm history enable
: Saved
ASA Version 7.1(2)
hostname gateasapix
domain-name MyDomain.com
enable password abcdefghijklmno encrypted
name Exchange_Server
name DC description Primary
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone BOT -4
dns domain-lookup Inside
dns server-group DNS1
dns server-group DefaultDNS
 domain-name MyDomain.com
object-group service Basic_Internet tcp
 description Includes all basic internet protocols for web accesshtt
 port-object eq https
 port-object eq www
 port-object eq ssh
 port-object eq ftp
 port-object eq domain
object-group service DNS tcp-udp
 port-object eq domain
object-group network Servers
 network-object Exchange_Server
 network-object DC
object-group service Mail tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
access-list Inside_access_in extended permit ip
access-list Inside_access_in remark Internet Access
access-list Inside_access_in extended permit ip any
access-list Inside_access_in extended permit tcp any object-group Mail inactive
access-list Inside_access_in extended permit udp any eq domain inactive
access-list Inside_access_in extended permit ip object-group Servers any inactive
access-list Outside_access_in extended permit icmp any inactive
access-list Outside_access_in extended permit tcp any interface Outside object-group Mail
access-list Inside_nat0_outbound extended permit ip any
access-list Inside_nat0_outbound extended permit ip any
access-list Tristate_Lan standard permit
access-list Tristate_Lan standard permit
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool remote_vpn mask
ip local pool tri_remote_vpn mask
icmp permit Outside
icmp permit Inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10
static (Inside,Outside) tcp interface smtp Exchange_Server smtp netmask
static (Inside,Outside) tcp interface pop3 Exchange_Server pop3 netmask
static (Inside,Outside) tcp interface 6245 Exchange_Server 6245 netmask
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 1
route Inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 3
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Tri_Remote internal
group-policy Tri_Remote attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tri_LAN
 split-dns none
username kjason password abcdefghijklmo encrypted privilege 15
username kjason attributes
 vpn-group-policy Tri_Remote
username john_db password abcdefghijklmo encrypted
username john_db attributes
 vpn-group-policy Tri_Remote
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
http server enable
http Outside
http Outside
http Outside
http Inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept AUTHORIZATION ALLOWED
auth-prompt reject AUTHORIZATION DENIED
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  30
tunnel-group Tri_Remote type ipsec-ra
tunnel-group Tri_Remote general-attributes
 address-pool remote_vpn
 default-group-policy Tri_Remote
tunnel-group Tri_Remote ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh Outside
ssh Outside
ssh Outside
ssh Inside
ssh management
ssh timeout 5
ssh version 2
console timeout 5
management-access Inside
dhcpd address Inside
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
: end

LVL 12

Expert Comment

ID: 20782886
You need to add 9876 into the Mail service object

object-group service Mail tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
 port-object eq 9876

LVL 12

Accepted Solution

tgtran earned 2000 total points
ID: 20782895
Another thing:
Your static statement shows 6245
static (Inside,Outside) tcp interface 6245 Exchange_Server 6245 netmask

Are you using 6245 or 9876?  Just make sure this matches with Mail service object

Author Closing Comment

ID: 31426585
yes ur  correct it should be 9876 and in security policy i allowed in destination port service = port 9876 and voila it worked.
Thank you for such quick response.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
In my humble opinion (IMHO), TouchDown from Symantec is the best in class for this type of application, but Symantec has end-of-lifed it and although one can keep using it, it will no longer be supported or upgraded.  Time to look for alternatives t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Suggested Courses
Course of the Month9 days, 15 hours left to enroll

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question