OWA through Cisco ASA firewall

hello i have set up exchange OWA to use SSL on port 9876.
Internally ,it is working fine ( https://MyExchSrvr:9876/exchange )

I have set up cisco ASA 5500  to port forward port 9876 to the Exchange server.
i copied the setting which were in place for port 110 & 25.

when run the test from external  ip address for port 110 and 25  i get
TCP port 110 and 25: LISTENING                     But for port 9876 i get  

TCP port 9876     : FILTERED

i do not have much experience with ASA 5500, so i know its some setting in ASA which i have not configured properly.
Please advise
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TG TranIT guyCommented:
Please post ASA config
icdl101Author Commented:
asdm image disk0:/asdm512-k8.bin
asdm location Exchange_Server Inside
asdm location Inside
asdm location DC Inside
asdm location Outside
asdm group Servers Inside
no asdm history enable
: Saved
ASA Version 7.1(2)
hostname gateasapix
domain-name MyDomain.com
enable password abcdefghijklmno encrypted
name Exchange_Server
name DC description Primary
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone BOT -4
dns domain-lookup Inside
dns server-group DNS1
dns server-group DefaultDNS
 domain-name MyDomain.com
object-group service Basic_Internet tcp
 description Includes all basic internet protocols for web accesshtt
 port-object eq https
 port-object eq www
 port-object eq ssh
 port-object eq ftp
 port-object eq domain
object-group service DNS tcp-udp
 port-object eq domain
object-group network Servers
 network-object Exchange_Server
 network-object DC
object-group service Mail tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
access-list Inside_access_in extended permit ip
access-list Inside_access_in remark Internet Access
access-list Inside_access_in extended permit ip any
access-list Inside_access_in extended permit tcp any object-group Mail inactive
access-list Inside_access_in extended permit udp any eq domain inactive
access-list Inside_access_in extended permit ip object-group Servers any inactive
access-list Outside_access_in extended permit icmp any inactive
access-list Outside_access_in extended permit tcp any interface Outside object-group Mail
access-list Inside_nat0_outbound extended permit ip any
access-list Inside_nat0_outbound extended permit ip any
access-list Tristate_Lan standard permit
access-list Tristate_Lan standard permit
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool remote_vpn mask
ip local pool tri_remote_vpn mask
icmp permit Outside
icmp permit Inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10
static (Inside,Outside) tcp interface smtp Exchange_Server smtp netmask
static (Inside,Outside) tcp interface pop3 Exchange_Server pop3 netmask
static (Inside,Outside) tcp interface 6245 Exchange_Server 6245 netmask
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 1
route Inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 3
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Tri_Remote internal
group-policy Tri_Remote attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tri_LAN
 split-dns none
username kjason password abcdefghijklmo encrypted privilege 15
username kjason attributes
 vpn-group-policy Tri_Remote
username john_db password abcdefghijklmo encrypted
username john_db attributes
 vpn-group-policy Tri_Remote
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
http server enable
http Outside
http Outside
http Outside
http Inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept AUTHORIZATION ALLOWED
auth-prompt reject AUTHORIZATION DENIED
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  30
tunnel-group Tri_Remote type ipsec-ra
tunnel-group Tri_Remote general-attributes
 address-pool remote_vpn
 default-group-policy Tri_Remote
tunnel-group Tri_Remote ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh Outside
ssh Outside
ssh Outside
ssh Inside
ssh management
ssh timeout 5
ssh version 2
console timeout 5
management-access Inside
dhcpd address Inside
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
: end

TG TranIT guyCommented:
You need to add 9876 into the Mail service object

object-group service Mail tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
 port-object eq 9876

TG TranIT guyCommented:
Another thing:
Your static statement shows 6245
static (Inside,Outside) tcp interface 6245 Exchange_Server 6245 netmask

Are you using 6245 or 9876?  Just make sure this matches with Mail service object

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
icdl101Author Commented:
yes ur  correct it should be 9876 and in security policy i allowed in destination port service = port 9876 and voila it worked.
Thank you for such quick response.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.