[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

OWA through Cisco ASA firewall

Posted on 2008-01-30
5
Medium Priority
?
1,209 Views
Last Modified: 2010-05-18
hello i have set up exchange OWA to use SSL on port 9876.
Internally ,it is working fine ( https://MyExchSrvr:9876/exchange )

I have set up cisco ASA 5500  to port forward port 9876 to the Exchange server.
i copied the setting which were in place for port 110 & 25.

when run the test from external  ip address for port 110 and 25  i get
TCP port 110 and 25: LISTENING                     But for port 9876 i get  

TCP port 9876     : FILTERED

i do not have much experience with ASA 5500, so i know its some setting in ASA which i have not configured properly.
Please advise
0
Comment
Question by:icdl101
  • 3
  • 2
5 Comments
 
LVL 12

Expert Comment

by:tgtran
ID: 20782519
Please post ASA config
0
 

Author Comment

by:icdl101
ID: 20782741
asdm image disk0:/asdm512-k8.bin
asdm location Exchange_Server 255.255.255.255 Inside
asdm location 10.17.18.215 255.255.255.255 Inside
asdm location DC 255.255.255.255 Inside
asdm location 192.168.2.0 255.255.255.252 Outside
asdm group Servers Inside
no asdm history enable
: Saved
:
ASA Version 7.1(2)
!
hostname gateasapix
domain-name MyDomain.com
enable password abcdefghijklmno encrypted
names
name 192.168.1.5 Exchange_Server
name 192.168.1.2 DC description Primary
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 10.10.10.2 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.1.1 255.255.255.248
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED
banner login UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED
ftp mode passive
clock timezone BOT -4
dns domain-lookup Inside
dns server-group DNS1
 name-server 205.214.192.201
dns server-group DefaultDNS
 name-server 205.214.192.202
 domain-name MyDomain.com
object-group service Basic_Internet tcp
 description Includes all basic internet protocols for web accesshtt
 port-object eq https
 port-object eq www
 port-object eq ssh
 port-object eq ftp
 port-object eq domain
object-group service DNS tcp-udp
 port-object eq domain
object-group network Servers
 network-object Exchange_Server 255.255.255.255
 network-object DC 255.255.255.255
object-group service Mail tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
access-list Inside_access_in extended permit ip 172.16.10.0 255.255.255.0 192.168.2.0 255.255.255.252
access-list Inside_access_in remark Internet Access
access-list Inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group Mail inactive
access-list Inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain inactive
access-list Inside_access_in extended permit ip object-group Servers any inactive
access-list Outside_access_in extended permit icmp any 192.168.1.0 255.255.255.0 inactive
access-list Outside_access_in extended permit tcp any interface Outside object-group Mail
access-list Inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.252
access-list Inside_nat0_outbound extended permit ip any 192.168.1.80 255.255.255.240
access-list Tristate_Lan standard permit 192.168.1.0 255.255.255.0
access-list Tristate_Lan standard permit 172.16.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool remote_vpn 192.168.2.1-192.168.2.2 mask 255.255.255.0
ip local pool tri_remote_vpn 192.168.1.80-192.168.1.90 mask 255.255.255.0
icmp permit 192.168.2.0 255.255.255.0 Outside
icmp permit 192.168.1.0 255.255.255.0 Inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 192.168.1.0 255.255.255.0
static (Inside,Outside) tcp interface smtp Exchange_Server smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface pop3 Exchange_Server pop3 netmask 255.255.255.255
static (Inside,Outside) tcp interface 6245 Exchange_Server 6245 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 10.10.10.1 1
route Inside 172.16.10.0 255.255.255.0 192.168.1.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 3
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Tri_Remote internal
group-policy Tri_Remote attributes
 dns-server value 192.168.1.2 205.214.192.201
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tri_LAN
 split-dns none
username kjason password abcdefghijklmo encrypted privilege 15
username kjason attributes
 vpn-group-policy Tri_Remote
username john_db password abcdefghijklmo encrypted
username john_db attributes
 vpn-group-policy Tri_Remote
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 239.126.164.89 255.255.255.255 Outside
http 239.126.164.90 255.255.255.255 Outside
http 192.168.2.0 255.255.255.0 Outside
http 192.168.1.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED
auth-prompt accept AUTHORIZATION ALLOWED
auth-prompt reject AUTHORIZATION DENIED
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  30
tunnel-group Tri_Remote type ipsec-ra
tunnel-group Tri_Remote general-attributes
 address-pool remote_vpn
 default-group-policy Tri_Remote
tunnel-group Tri_Remote ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 239.126.164.89 255.255.255.255 Outside
ssh 239.126.164.90 255.255.255.255 Outside
ssh 192.168.2.0 255.255.255.0 Outside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 10.1.1.0 255.255.255.248 management
ssh timeout 5
ssh version 2
console timeout 5
management-access Inside
dhcpd address 192.168.1.200-192.168.1.210 Inside
dhcpd address 10.1.1.2-10.1.1.6 management
dhcpd dns 205.214.192.201 205.214.192.202
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Cryptochecksum:6b8b5545325c874e2cf02fb1977a892d
: end

0
 
LVL 12

Expert Comment

by:tgtran
ID: 20782886
You need to add 9876 into the Mail service object

object-group service Mail tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
 port-object eq 9876

0
 
LVL 12

Accepted Solution

by:
tgtran earned 2000 total points
ID: 20782895
Another thing:
Your static statement shows 6245
static (Inside,Outside) tcp interface 6245 Exchange_Server 6245 netmask 255.255.255.255

Are you using 6245 or 9876?  Just make sure this matches with Mail service object
0
 

Author Closing Comment

by:icdl101
ID: 31426585
yes ur  correct it should be 9876 and in security policy i allowed in destination port service = port 9876 and voila it worked.
Thank you for such quick response.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
In my humble opinion (IMHO), TouchDown from Symantec is the best in class for this type of application, but Symantec has end-of-lifed it and although one can keep using it, it will no longer be supported or upgraded.  Time to look for alternatives t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Suggested Courses
Course of the Month9 days, 15 hours left to enroll

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question