Setting up OWA and Email through Cisco ASA firewall

I currently have a Cisco ASA 5510 firewall and an ISA 2004 server running. The ISA server has 1.2.3.242 on external and the Cisco has 1.2.3.243 on external. Both of them are plugged into the router which is 1.2.3.241. The MX records point to mail.domain.com which points to 1.2.3.242 which is our ISA server. Our OWA access goes through the 1.2.3.242 as well which is our ISA server. Our VPN connects through the Cisco on 1.2.3.243 so all of our clients connect to that address. I would like to pull the ISA server from the network. Is there a way to get email and OWA to go through the CIsco and not have to change any of the MX records and still be able to connect our VPN through the current address. Basically I want the Cisco to accept traffic coming in for 1.2.3.242 and 1.2.3.243. We don't have any other servers that need to be connected to the outside, only the Cisco. The Cisco will need to forward mail to Vamsoft ORF server and then it forwards mail on to the Exchange server. The OWA will need to go directly to the Exchange server. Is this possible?
WyandotteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
Pull out the ISA server and follow the below;

Assuming your exchange server has default gateway setup as PIX (after the change ofcourse), this is how you do it;

static(inside,outside) 1.2.3.242 <InternalIP Of VAMSoft> netmask 255.255.255.255

access-list <Name> permit tcp any host 1.2.3.242 eq 443

access-group <Name> in interface outside

Cheers,
Rajesh
0
lrmooreCommented:
>The Cisco will need to forward mail to Vamsoft ORF server and then it forwards mail on to the Exchange server. The OWA will need to go directly to the Exchange server. Is this possible?

Yes it is possible with port redirect.

static (inside,outside) tcp 1.3.4.242 smtp <VAMSoftIP> smtp netmask 255.255.255.255
static (inside,outside) tcp 1.3.4.242 https <ExchangeIP> https netmask 255.255.255.255
access-list outside_access_in permit tcp any host 1.3.4.242 eq smtp
access-list outside_access_in permit tcp any host 1.3.4.242 eq https
access-group outside_access_in in interface outside
0
WyandotteAuthor Commented:
Will I need to bring down the ISA server first or do I just put in those entries and then everything starts going through the Cisco? My main concern that I just can't grasp in my head is when email comes in looking for the address 242, how does it get to the cisco at 243?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

rsivanandanCommented:
You can just unplug the ISA's interface going to the router and test it that way.

Basically when the traffic hits the edge router, it comes to the cisco and follows from there. How the traffic gets there? That will be taken care by ISP. The only thing that you need to make sure that that you do make routing/provisions in the edge router to send the traffic to cisco.

Cheers,
Rajesh
0
WyandotteAuthor Commented:
I don't think I am being very clear. Here is our setup. Our Internet service comes in using 1.2.3.238. This is on the WAN port of the router. The other side of the router is 1.2.3.241. That connects to a HP Procurve ethernet switch. The ISA as the address of 1.2.3.242 and is connected to the same switch. The other nic of the ISA is on the local network with IP 10.10.10.2. The Cisco has the IP of 1.2.3.243 and is connected to the Procurve switch as well. The internal side is 10.10.10.1. Our IP block is 1.2.3.242-254. As far as the ISP is concerned, I believe that is all that matters. When email gets sent from someone it comes in from the ISP looking for 1.2.3.242. If I pull the plug on the ISA then 1.2.3.242 doesn't exist anymore, how does the mail know to go to 1.2.3.243 instead of 1.2.3.242. Is it clear as mud?
0
rsivanandanCommented:
One of the classic question that always gets asked :-)

Okay, assume that you have nothing configured on your side except for the ISP. Now this is how ISP routing works. Whatever packets that come for 1.2.3.242-254 range, the ISP would simply route them to your network. Now to utilize that, you essentially do not have to assign the ip on an *interface*.

The knowledge we provide in the form of static command (mentioned above), tells the PIX what to do with the traffic that has a destination address of 1.2.3.242, it translates the ip into the internal mail server and sends it to the respective server.

Now if the server has configured with the default gateway of 10.10.10.1, the reply will come and hit the PIX, which in turn converts that into public ip (1.2.3.242 as source) and send it out to ISP. ISP routes this packet to internet since the source ip has 1.2.3.242 and they recognize that it is indeed coming from the link given to you.

So the key points are like this;

1. You need to have static defined for PIX to know what to do (Otherwise it will drop the packet)
2. You need to have the access-list to allow the traffic to come in
3. You need to have the internal machine to which the connection goes (in this case the mail server/proxy), to have its default gateway as the PIX. This would apply for all the internal machines as well, if you want them to go out to internet through PIX.

Hope that explains.

Cheers,
Rajesh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WyandotteAuthor Commented:
Excellent, That exactly answers my question. I will give that a shot. Thanks.
0
rsivanandanCommented:
:-) Lemme know.

Cheers,
Rajesh
0
WyandotteAuthor Commented:
I haven't had a chance to try it but it looks like it will work. I wanted to go ahead and close this question. Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.