?
Solved

open port 443 for owa w/ asa5505

Posted on 2008-10-07
11
Medium Priority
?
1,062 Views
Last Modified: 2010-04-21
Trying to access OWA.  I thought i opened https to the proper address but it's not working, any help is apprecitated.


: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password I4c0AVstdlzGCow/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.1.1.5 SRVI-FTP description ftp server
name 10.1.1.6 SRVISRV2 description mail server
name 215.11.1.0 Securence_1 description spam service
name 210.11.209.64 Securence_2 description spam service
name 146.1.1.210 Bad_Toolbar_Guy
name 216.107.222.56 Harrison_SQL
name 10.1.1.0 Internal_All
name 209.1.1.100 SRVSRV2_OUT
name 209.1.1.105 SRVI-FTP_OUT
name 10.1.1.5 SRVISRV1
name 209.1.1.101 SRVISRV1_OUT
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.250 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.1.1.98 255.255.255.224
 ospf cost 10
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.1.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server SRVISRV1
 name-server 10.1.1.8
 name-server 207.1.1.1
 name-server 207.1.1.129
 domain-name default.domain.invalid
object-group network Securance
 description Spam Filter addresses from Securance
 network-object Securence_2 255.255.255.192
 network-object Securence_1 255.255.255.0
object-group service SMTPAUTH tcp
 description Allow SMTP Authorization to Exchange (SRVSRV2)
 port-object eq 587
object-group service BAD_PORTS tcp
 description Block online file sharing and streaming
 port-object eq 1025
 port-object eq 1027
 port-object eq 1034
 port-object eq 1334
 port-object range 1433 1434
 port-object eq 2234
 port-object range 2336 2337
 port-object eq 2350
 port-object eq 2745
 port-object eq 3043
 port-object range 3127 3128
 port-object eq 31337
 port-object eq 3140
 port-object eq 3306
 port-object range 4000 4010
 port-object eq 41436
 port-object eq 4500
 port-object eq 5554
 port-object eq 6129
 port-object range 6346 6350
 port-object eq 6699
 port-object eq 6777
 port-object eq 8866
 port-object eq 8967
 port-object eq 9996
 port-object eq ident
object-group service BAD_PORTS_UDP udp
 description Block file sharing and streaming
 port-object range 1433 1434
 port-object eq 2234
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list DMZ_access_in extended permit tcp any host SRVI-FTP_OUT object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp Securence_1 255.255.255.0 host SRVISRV2 eq smtp inactive
access-list outside_access_in remark Block internet file sharing and streaming
access-list outside_access_in extended deny tcp any any object-group BAD_PORTS
access-list outside_access_in remark Block internet file sharing and streaming
access-list outside_access_in extended deny udp any any object-group BAD_PORTS_UDP
access-list outside_access_in remark Allow Securance Spam filter mail traffic to Exchange server (SRVISRV2)
access-list outside_access_in extended permit tcp object-group Securance host SRVSRV2_OUT eq smtp
access-list outside_access_in remark Allow SMTP authorization
access-list outside_access_in extended permit tcp any host SRVSRV2_OUT eq 587
access-list outside_access_in remark Secure Web interface for OWA (Exchange)
access-list outside_access_in extended permit tcp any host SRVSRV2_OUT eq https
access-list outside_access_in extended permit tcp any host SRVSRV2_OUT eq imap4
access-list outside_access_in extended permit tcp any host SRVI-FTP_OUT object-group DM_INLINE_TCP_1
access-list inside_access_in remark Harrison Price updates
access-list inside_access_in extended permit ip any host Harrison_SQL inactive
access-list inside_access_in remark Block internet file sharing and streaming
access-list inside_access_in extended deny tcp any any object-group BAD_PORTS inactive
access-list inside_access_in remark Block internet file sharing and streaming
access-list inside_access_in extended deny udp any any object-group BAD_PORTS_UDP inactive
access-list inside_access_in extended deny ip any host Bad_Toolbar_Guy
access-list inside_access_in extended permit ip host SRVISRV2 any
access-list inside_access_in extended permit ip Internal_All 255.255.255.0 any
access-list SRVIvpn_splitTunnelAcl standard permit Internal_All 255.255.255.0
access-list inside_nat0_outbound extended permit ip Internal_All 255.255.255.0 10.1.1.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPNpool 10.1.1.185-10.1.1.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 209.1.1.120-209.1.1.126 netmask 255.255.255.224
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) SRVI-FTP_OUT SRVI-FTP netmask 255.255.255.255
static (inside,outside) SRVSRV2_OUT SRVISRV2 netmask 255.255.255.255
static (inside,outside) SRVISRV1_OUT SRVISRV1 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.1.1.97 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http Internal_All 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 64.103.36.133 255.255.255.255 outside
ssh timeout 5
console timeout 0

group-policy SRVIvpn internal
group-policy SRVIvpn attributes
 wins-server value 10.1.1.5 10.1.1.8
 dns-server value 10.1.1.5 10.1.1.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SRVIvpn_splitTunnelAcl
 default-domain value SRVINET.COM
username x password V6TEyok1IWRLNv.2 encrypted privilege 15
username x password dw0qiTJW/eKeyF6Z encrypted privilege 0
username x attributes
 vpn-group-policy SRVIvpn
tunnel-group SRVIvpn type ipsec-ra
tunnel-group SRVIvpn general-attributes
 address-pool VPNpool
 default-group-policy SRVIvpn
tunnel-group SRVIvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:759b12e58639f452c3d58386f12ae69c
: end
asdm image disk0:/asdm-524.bin
asdm location SRVISRV2 255.255.255.255 inside
asdm location SRVI-FTP 255.255.255.255 inside
asdm location Securence_2 255.255.255.192 inside
asdm location Securence_1 255.255.255.0 inside
asdm location Internal_All 255.255.255.0 inside
asdm location Bad_Toolbar_Guy 255.255.255.255 inside
asdm location Harrison_SQL 255.255.255.255 inside
asdm location SRVISRV1 255.255.255.255 inside
asdm location SRVISRV1_OUT 255.255.255.255 inside
no asdm history enable


0
Comment
Question by:jrri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 4

Expert Comment

by:Chris James
ID: 22660309
Is it enabled in the exchange management console?
0
 
LVL 4

Expert Comment

by:Chris James
ID: 22660317
When you type in the URL with just http does it say it requires a secure https connection to view OWA?
0
 
LVL 1

Author Comment

by:jrri
ID: 22660349
it was already functioning but I recently replaced the old firewall

no, just nothing
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:Chris James
ID: 22660503
Confirm it is running in the exchange management console if you can.
0
 
LVL 1

Author Comment

by:jrri
ID: 22660700
IIS manager says web site is running, any other way to tell?
0
 
LVL 4

Accepted Solution

by:
Chris James earned 536 total points
ID: 22660858
Yes, the IIS is running but you have to go through the Exchange Management Console application (actually run EMC)

http://technet.microsoft.com/en-us/library/bb124124(EXCHG.80).aspx
0
 
LVL 1

Author Comment

by:jrri
ID: 22661117
great, not only am i a firewall moron but now an exchange one.  I can't find the management console.  the link you gave was for exchange 2007.  i have exchange system manager, is that it?
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 532 total points
ID: 22661297
You can find it by going to Administrative Tools >> Exchange Management Console.
Cheers!
BTW your config for the ASA looks good!
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 532 total points
ID: 22661748
Agreed - cant see anything wrong with the firewall config

is it working internally?

https://{internal IP}/exchange

0
 
LVL 1

Author Closing Comment

by:jrri
ID: 31503881
Now I'm only half a moron.  I went home for lunch and it worked fine.  We had an HTTP site on one server that forwarded stuff to the HTTPS to another server for OWA.  When I installed the new firewall I didn't include the 1st site which was http because it seemed redundant.   A user in the office mentioned they couldn't get to it but that's because it the http was not allowed.  i was trying the https from inside the office  which wasn't allowed so now i'm only the moron for the OWA thing.  the points were split, dj_ludachris: was first and persistent and Pugglewuggle and Pete were correct.  

Thanks for the help
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 22662639
Glad to help  - ThanQ
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question