Link to home
Create AccountLog in
Avatar of quinster56
quinster56

asked on

OWA works internally but not externally

Just inherited a new PIX and was assigned the task of getting OWA to work.
Verified settings on the IIS server which now works internally.
Verified static mapping and ports necessary for OWA
Still does not work externally.

Here is the config with address modified to protect the innocent.

Thanks very much in advance.
GQB

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet3 100full
interface ethernet4 auto
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 anx security4
nameif ethernet3 sapvpn security99
nameif ethernet4 anx_inside security98
nameif ethernet5 inft5 security10
enable password ********** encrypted
passwd .********** encrypted
hostname ********
domain-name *********.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.120.2 int_webserver2
name x.x.251.102 ext_webserver2
name x.x.120.3 int_ftpserver2
name x.x.251.103 ext_ftpserver2
name x.x.251.101 ext_proofpoint
name x.x.0.0 net_FrameAll
name x.x.5.0 net_M
name x.x.251.104 ext_saprouter
name x.x.176.21 int_saprouter
name x.x.210.3 Cust1_IPSEC_GW
name x.x.210.88 Cust1_Host2
name x.x.210.34 Cust1_Host1
name x.x.11.0 Location1
name x.x.120.4 int_supportwebserver
name x.x.251.105 ext_supportwebserver
name x.x.7.0 net_City1
name x.x.10.0 net_MI
name x.x.2.0 net_C
name x.x.8.0 net_D
name x.x.6.0 FHL
name x.x.251.106 ext_owa_webserver
name x.x.251.100 ext_webftpmailserver
name x.x.31.0 MLN
name x.x.227.98 saprouter_oss
name x.x.106.129 saposs_network
name x.x.49.30 int_webftpmailserver
name x.x.49.240 int_proofpoint
name x.x.49.215 int_owa_webserver
object-group service sg_proofpoint tcp
  description proofpoint required ports
  port-object eq ftp
  port-object eq ssh
  port-object eq https
  port-object eq www
  port-object eq smtp
  port-object eq 10010
  port-object eq 10000
object-group service sg_webftpmail tcp
  port-object eq ftp
  port-object eq pop3
  port-object eq https
  port-object eq www
object-group network Cust1_Hosts
  network-object Cust1_Host1 255.255.255.255
  network-object Cust1_Host2 255.255.255.255
access-list inside_access_in remark default allow outbound
access-list inside_access_in permit ip any any
access-list inside_access_in remark tcp outbound allow rule
access-list inside_access_in permit tcp any any
access-list inside_access_in remark ping inside out allow
access-list inside_access_in permit icmp any any
access-list inside_access_in remark udp allow rule
access-list inside_access_in permit udp any any
access-list inside_access_in remark default allow outbound
access-list inside_access_in remark tcp outbound allow rule
access-list inside_access_in remark ping inside out allow
access-list inside_access_in remark udp allow rule
access-list inside_access_in remark default allow outbound
access-list inside_access_in remark tcp outbound allow rule
access-list inside_access_in remark ping inside out allow
access-list inside_access_in remark udp allow rule
access-list inside_access_in remark default allow outbound
access-list inside_access_in remark tcp outbound allow rule
access-list inside_access_in remark ping inside out allow
access-list inside_access_in remark udp allow rule
access-list outside_access_in remark outside in icmp allow
access-list outside_access_in permit icmp any any
access-list outside_access_in remark allow rule for www traffic of
 WebServer2
access-list outside_access_in permit tcp any host ext_webserver2 eq www
 
access-list outside_access_in remark allow rule for www traffic of
 support.domain.com
access-list outside_access_in permit tcp any host ext_supportwebserver
 eq www
access-list outside_access_in remark allow rule for ftp traffic of
 FTPServer2
access-list outside_access_in permit tcp any host ext_ftpserver2 eq ftp
 
access-list outside_access_in remark allow proofpoint traffic
access-list outside_access_in permit tcp any host ext_proofpoint
 object-group sg_proofpoint
access-list outside_access_in remark allow web ftp mail for exchange
access-list outside_access_in remark allow SAProuter traffic
access-list outside_access_in permit tcp any host ext_saprouter eq 3299
 
access-list outside_access_in permit tcp any host ext_owa_webserver eq
 https
access-list outside_access_in permit tcp any host ext_owa_webserver eq
 3101
access-list outside_access_in permit tcp any host ext_ftpserver2 eq
 3389
access-list outside_access_in permit tcp any host x.x.251.107 eq 3389
access-list outside_access_in permit tcp any host x.x.251.108 eq 3389
access-list outside_access_in permit tcp any host x.x.251.109 eq 3389
access-list outside_access_in permit tcp any host x.x.251.21 eq 3389
access-list outside_access_in remark outside in icmp allow
access-list outside_access_in remark allow rule for www traffic of
 WebServer2
access-list outside_access_in remark allow rule for www traffic of
 support.domain.com
access-list outside_access_in remark allow rule for ftp traffic of
 FTPServer2
access-list outside_access_in remark allow proofpoint traffic
access-list outside_access_in remark allow web ftp mail for exchange
access-list outside_access_in remark allow SAProuter traffic
access-list outside_access_in remark outside in icmp allow
access-list outside_access_in remark allow rule for www traffic of
 WebServer2
access-list outside_access_in remark allow rule for www traffic of
 support.domain.com
access-list outside_access_in remark allow rule for ftp traffic of
 FTPServer2
access-list outside_access_in remark allow proofpoint traffic
access-list outside_access_in remark allow web ftp mail for exchange
access-list outside_access_in remark allow SAProuter traffic
access-list outside_access_in remark outside in icmp allow
access-list outside_access_in remark allow rule for www traffic of
 WebServer2
access-list outside_access_in remark allow rule for www traffic of
 support.domain.com
access-list outside_access_in remark allow rule for ftp traffic of
 FTPServer2
access-list outside_access_in remark allow proofpoint traffic
access-list outside_access_in remark allow web ftp mail for exchange
access-list outside_access_in remark allow SAProuter traffic
access-list outside_access_in permit tcp any host ext_webftpmailserver
 object-group sg_webftpmail
access-list outside_access_in permit tcp any host x.x.251.110 eq 3389
access-list outside_access_in permit tcp any host x.x.251.110 eq
 ica-citrix
access-list outside_access_in permit tcp any host ext_owa_webserver eq
 3389
access-list sapvpn_outbound_nat0_acl remark saposs network connections
access-list sapvpn_outbound_nat0_acl remark saposs network connections
access-list sapvpn_outbound_nat0_acl remark saposs network connections
access-list sapvpn_outbound_nat0_acl remark saposs network connections
access-list sapvpn_outbound_nat0_acl permit ip host saprouter_oss
 x.x.106.128 255.255.255.252
access-list inside_outbound_nat0_acl permit ip host x.x.15.203
 object-group Cust1_Hosts
access-list inside_outbound_nat0_acl permit ip x.x.0.0 255.255.0.0
 Location1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip net_M 255.255.255.0
 Location1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any host Cust1_Host2
access-list inside_outbound_nat0_acl permit ip any x.x.10.0
 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any x.x.210.0
 255.255.255.0
access-list inside_outbound_nat0_acl permit ip x.x.0.0 255.255.0.0
 net_C 255.255.255.0
access-list inside_outbound_nat0_acl permit ip x.x.0.0 255.255.0.0 FHL
 255.255.255.0
access-list inside_outbound_nat0_acl permit ip net_C 255.255.255.0
 x.x.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip any MLN 255.255.255.0
access-list outside_cryptomap_20 remark SAP OSS VPN
access-list outside_cryptomap_20 remark SAP OSS VPN
access-list outside_cryptomap_20 remark SAP OSS VPN
access-list outside_cryptomap_20 remark SAP OSS VPN
access-list outside_cryptomap_20 permit ip host saprouter_oss host
 saposs_network
access-list anx_inside_nat0_outbound permit ip host x.x.15.203 host
 Cust1_Host2
access-list outside_cryptomap_40 remark MAS S - Tunnel 1
access-list outside_cryptomap_40 permit ip x.x.0.0 255.255.0.0
 Location1 255.255.255.0
access-list outside_cryptomap_40 remark MAS S - Tunnel 2
access-list outside_cryptomap_40 permit ip net_M 255.255.255.0
 Location1 255.255.255.0
access-list outside_cryptomap_40 remark MAS S - Tunnel 1
access-list outside_cryptomap_40 remark MAS S - Tunnel 2
access-list outside_cryptomap_40 remark MAS S - Tunnel 1
access-list outside_cryptomap_40 remark MAS S - Tunnel 2
access-list outside_cryptomap_40 remark MAS S - Tunnel 1
access-list outside_cryptomap_40 remark MAS S - Tunnel 2
access-list anx_cryptomap_20 remark Cust1 - Tunnel 1
access-list anx_cryptomap_20 permit ip host x.x.15.203 host Cust1_Host2
 
access-list anx_cryptomap_20 permit ip x.x.0.0 255.255.0.0 host
 Cust1_Host2
access-list anx_cryptomap_20 permit ip x.x.0.0 255.255.0.0 host
 Cust1_Host1
access-list anx_cryptomap_20 remark Cust1 - Tunnel 1
access-list anx_cryptomap_20 remark Cust1 - Tunnel 1
access-list anx_cryptomap_20 remark Cust1 - Tunnel 1
access-list outside_cryptomap_60 remark Cabot Tunnel
access-list outside_cryptomap_60 permit ip x.x.0.0 255.255.0.0 net_C
 255.255.255.0
access-list outside_cryptomap_60 remark Cabot Tunnel
access-list outside_cryptomap_60 remark Cabot Tunnel
access-list outside_cryptomap_60 remark Cabot Tunnel
access-list outside_cryptomap_80 permit ip x.x.0.0 255.255.0.0 FHL
 255.255.255.0
access-list outside_cryptomap_100 permit ip x.x.0.0 255.255.0.0 net_D
 255.255.255.0
access-list outside_cryptomap_631 permit ip x.x.0.0 255.255.0.0 host
 MLN
access-list outside_cryptomap_dyn_20 remark VPN Remote Access (PPTP)
pager lines 24
logging on
logging trap notifications
logging queue 2048
logging host inside x.x.49.235
mtu outside 1500
mtu inside 1500
mtu anx 1500
mtu sapvpn 1500
mtu anx_inside 1500
mtu inft5 1500
ip address outside x.x.251.10 255.255.255.0
ip address inside x.x.49.1 255.255.0.0
ip address anx x.x.15.197 255.255.255.248
ip address sapvpn saprouter_oss 255.255.255.252
ip address anx_inside x.x.15.204 255.255.255.248
no ip address inft5
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool x.x.210.2-x.x.210.254 mask 255.255.255.0
ip local pool HLM_POOl x.x.130.10-x.x.130.254
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address anx
no failover ip address sapvpn
no failover ip address anx_inside
no failover ip address inft5
pdm location net_FrameAll 255.255.0.0 inside
pdm location net_M 255.255.255.0 inside
pdm location ext_webserver2 255.255.255.255 outside
pdm location int_webserver2 255.255.255.255 inside
pdm location int_ftpserver2 255.255.255.255 inside
pdm location ext_ftpserver2 255.255.255.255 outside
pdm location ext_proofpoint 255.255.255.255 outside
pdm location int_proofpoint 255.255.255.255 inside
pdm location ext_saprouter 255.255.255.255 outside
pdm location int_saprouter 255.255.255.255 inside
pdm location x.x.106.128 255.255.255.252 outside
pdm location x.x.99.0 255.255.255.0 inside
pdm location Cust1_IPSEC_GW 255.255.255.255 anx
pdm location Cust1_Host1 255.255.255.255 anx
pdm location Cust1_Host2 255.255.255.255 anx
pdm location Location1 255.255.255.0 outside
pdm location x.x.0.0 255.255.255.255 inside
pdm location x.x.15.203 255.255.255.255 anx_inside
pdm location x.x.15.203 255.255.255.255 inside
pdm location int_supportwebserver 255.255.255.255 inside
pdm location ext_supportwebserver 255.255.255.255 outside
pdm location x.x.176.65 255.255.255.255 inside
pdm location net_City1 255.255.255.0 inside
pdm location x.x.7.21 255.255.255.255 inside
pdm location x.x.7.22 255.255.255.255 inside
pdm location net_C 255.255.255.0 outside
pdm location net_MI 255.255.255.0 inside
pdm location net_C 255.255.255.0 inside
pdm location net_D 255.255.255.0 inside
pdm location FHL 255.255.255.0 outside
pdm location int_owa_webserver 255.255.255.255 inside
pdm location net_D 255.255.255.0 outside
pdm location x.x.49.251 255.255.255.255 inside
pdm location x.x.150.123 255.255.255.255 inside
pdm location x.x.49.25 255.255.255.255 inside
pdm location x.x.49.252 255.255.255.255 inside
pdm location x.x.176.45 255.255.255.255 inside
pdm location x.x.16.136 255.255.255.255 outside
pdm location x.x.49.51 255.255.255.255 inside
pdm location x.x.49.69 255.255.255.255 inside
pdm location ext_webftpmailserver 255.255.255.255 outside
pdm location x.x.49.235 255.255.255.255 inside
pdm location Cust1_Host2 255.255.255.255 outside
pdm location MLN 255.255.255.0 outside
pdm location MLN 255.255.255.255 outside
pdm location x.x.49.87 255.255.255.255 inside
pdm location saprouter_oss 255.255.255.255 sapvpn
pdm location saposs_network 255.255.255.255 outside
pdm location int_webftpmailserver 255.255.255.255 inside
pdm group Cust1_Hosts anx
pdm logging warnings 500
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (sapvpn) 0 access-list sapvpn_outbound_nat0_acl
nat (anx_inside) 0 access-list anx_inside_nat0_outbound
static (inside,outside) ext_ftpserver2 int_ftpserver2 netmask
 255.255.255.255 0 0
static (inside,outside) ext_supportwebserver int_supportwebserver
 netmask 255.255.255.255 0 0
static (inside,outside) x.x.19.29 x.x.49.235 netmask 255.255.255.255 0
 0
static (inside,outside) ext_webftpmailserver int_webftpmailserver
 netmask 255.255.255.255 0 0
static (inside,outside) x.x.251.107 x.x.150.123 netmask 255.255.255.255
 0 0
static (inside,outside) x.x.251.108 x.x.49.251 netmask 255.255.255.255
 0 0
static (inside,outside) x.x.251.109 x.x.176.45 netmask 255.255.255.255
 0 0
static (inside,outside) x.x.251.21 x.x.49.25 netmask 255.255.255.255 0
 0
static (inside,outside) ext_saprouter int_saprouter netmask
 255.255.255.255 0 0
static (inside,outside) ext_webserver2 int_webserver2 netmask
 255.255.255.255 0 0
static (inside,outside) ext_proofpoint int_proofpoint netmask
 255.255.255.255 0 0
static (inside,outside) ext_owa_webserver int_owa_webserver netmask
 255.255.255.255 0 0
static (inside,outside) x.x.251.110 x.x.49.69 netmask 255.255.255.255 0
 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.251.1 1
route inside net_C 255.255.255.0 x.x.1.1 1
route inside net_City1 255.255.255.0 x.x.1.1 1
route inside net_MI 255.255.255.0 x.x.1.1 1
route inside x.x.99.0 255.255.255.0 x.x.49.51 1
route anx Cust1_IPSEC_GW 255.255.255.255 x.x.15.193 1
route anx Cust1_Host1 255.255.255.255 x.x.15.193 1
route anx Cust1_Host2 255.255.255.255 x.x.15.193 1
route inside net_M 255.255.255.0 x.x.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host x.x.49.87 ciscosecret timeout 30
aaa-server LOCAL protocol local
http server enable
http x.x.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address
 outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.39.131.166
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds
 7200 kilobytes 4608000
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.120.92
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer x.x.88.250
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 ipsec-isakmp
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set pfs group2
crypto map outside_map 80 set peer x.x.116.130
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 80 set security-association lifetime seconds
 28800 kilobytes 18000
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer x.x.172.243
crypto map outside_map 100 set transform-set ESP-3DES-MD5
crypto map outside_map 631 ipsec-isakmp
crypto map outside_map 631 match address outside_cryptomap_631
crypto map outside_map 631 set pfs group2
crypto map outside_map 631 set peer x.x.19.29
crypto map outside_map 631 set transform-set ESP-3DES-SHA
crypto map outside_map 631 set security-association lifetime seconds
 1800 kilobytes 4608000
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp enable anx
isakmp key ******** address x.x.120.92 netmask 255.255.255.255 no-xauth
 no-config-mode
isakmp key ******** address x.x.48.106 netmask 255.255.255.255 no-xauth
 no-config-mode
isakmp key ******** address x.x.116.130 netmask 255.255.255.255
 no-xauth no-config-mode
isakmp key ******** address x.x.88.250 netmask 255.255.255.255 no-xauth
 no-config-mode
isakmp key ******** address x.x.172.243 netmask 255.255.255.255
 no-xauth no-config-mode
isakmp key ******** address Cust1_IPSEC_GW netmask 255.255.255.255
 no-xauth no-config-mode
isakmp key ******** address x.x.247.193 netmask 255.255.255.255
 no-xauth no-config-mode
isakmp key ******** address x.x.19.29 netmask 255.255.255.255 no-xauth
 no-config-mode
isakmp key ******** address x.x.131.166 netmask 255.255.255.255
 no-xauth no-config-mode
isakmp log 10000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 1
isakmp policy 60 lifetime 86400
isakmp policy 631 authentication pre-share
isakmp policy 631 encryption 3des
isakmp policy 631 hash sha
isakmp policy 631 group 2
isakmp policy 631 lifetime 3600
vpngroup HLM address-pool HLM_POOl
vpngroup HLM dns-server x.x.49.51 x.x.49.87
vpngroup HLM default-domain HLM_PDC.com
vpngroup HLM idle-time 1800
vpngroup HLM password ********
ca identity domain x.x.49.235:/certsrv x.x.49.235
ca configure domain ca 1 0
telnet x.x.0.0 255.255.0.0 inside
telnet timeout 30
ssh x.x.16.136 255.255.255.255 outside
ssh timeout 5
management-access inside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPN_Pool
vpdn group PPTP-VPDN-GROUP client configuration dns x.x.49.51 x.x.49.87
vpdn group PPTP-VPDN-GROUP client configuration wins x.x.49.51
 int_owa_webserver
vpdn group PPTP-VPDN-GROUP client authentication aaa RADIUS
vpdn group PPTP-VPDN-GROUP client accounting RADIUS
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn enable outside
vpdn enable inside
terminal width 80
Cryptochecksum:34f7ba96e89d8274b6573c9fa7b61512
: end
pix#  exit
Avatar of quinster56
quinster56

ASKER

:)
ASKER CERTIFIED SOLUTION
Avatar of LeeDerbyshire
LeeDerbyshire
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account