Solved

open port 443 for owa w/ asa5505

Posted on 2008-10-07
11
998 Views
Last Modified: 2010-04-21
Trying to access OWA.  I thought i opened https to the proper address but it's not working, any help is apprecitated.


: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password I4c0AVstdlzGCow/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.1.1.5 SRVI-FTP description ftp server
name 10.1.1.6 SRVISRV2 description mail server
name 215.11.1.0 Securence_1 description spam service
name 210.11.209.64 Securence_2 description spam service
name 146.1.1.210 Bad_Toolbar_Guy
name 216.107.222.56 Harrison_SQL
name 10.1.1.0 Internal_All
name 209.1.1.100 SRVSRV2_OUT
name 209.1.1.105 SRVI-FTP_OUT
name 10.1.1.5 SRVISRV1
name 209.1.1.101 SRVISRV1_OUT
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.250 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.1.1.98 255.255.255.224
 ospf cost 10
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.1.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server SRVISRV1
 name-server 10.1.1.8
 name-server 207.1.1.1
 name-server 207.1.1.129
 domain-name default.domain.invalid
object-group network Securance
 description Spam Filter addresses from Securance
 network-object Securence_2 255.255.255.192
 network-object Securence_1 255.255.255.0
object-group service SMTPAUTH tcp
 description Allow SMTP Authorization to Exchange (SRVSRV2)
 port-object eq 587
object-group service BAD_PORTS tcp
 description Block online file sharing and streaming
 port-object eq 1025
 port-object eq 1027
 port-object eq 1034
 port-object eq 1334
 port-object range 1433 1434
 port-object eq 2234
 port-object range 2336 2337
 port-object eq 2350
 port-object eq 2745
 port-object eq 3043
 port-object range 3127 3128
 port-object eq 31337
 port-object eq 3140
 port-object eq 3306
 port-object range 4000 4010
 port-object eq 41436
 port-object eq 4500
 port-object eq 5554
 port-object eq 6129
 port-object range 6346 6350
 port-object eq 6699
 port-object eq 6777
 port-object eq 8866
 port-object eq 8967
 port-object eq 9996
 port-object eq ident
object-group service BAD_PORTS_UDP udp
 description Block file sharing and streaming
 port-object range 1433 1434
 port-object eq 2234
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list DMZ_access_in extended permit tcp any host SRVI-FTP_OUT object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp Securence_1 255.255.255.0 host SRVISRV2 eq smtp inactive
access-list outside_access_in remark Block internet file sharing and streaming
access-list outside_access_in extended deny tcp any any object-group BAD_PORTS
access-list outside_access_in remark Block internet file sharing and streaming
access-list outside_access_in extended deny udp any any object-group BAD_PORTS_UDP
access-list outside_access_in remark Allow Securance Spam filter mail traffic to Exchange server (SRVISRV2)
access-list outside_access_in extended permit tcp object-group Securance host SRVSRV2_OUT eq smtp
access-list outside_access_in remark Allow SMTP authorization
access-list outside_access_in extended permit tcp any host SRVSRV2_OUT eq 587
access-list outside_access_in remark Secure Web interface for OWA (Exchange)
access-list outside_access_in extended permit tcp any host SRVSRV2_OUT eq https
access-list outside_access_in extended permit tcp any host SRVSRV2_OUT eq imap4
access-list outside_access_in extended permit tcp any host SRVI-FTP_OUT object-group DM_INLINE_TCP_1
access-list inside_access_in remark Harrison Price updates
access-list inside_access_in extended permit ip any host Harrison_SQL inactive
access-list inside_access_in remark Block internet file sharing and streaming
access-list inside_access_in extended deny tcp any any object-group BAD_PORTS inactive
access-list inside_access_in remark Block internet file sharing and streaming
access-list inside_access_in extended deny udp any any object-group BAD_PORTS_UDP inactive
access-list inside_access_in extended deny ip any host Bad_Toolbar_Guy
access-list inside_access_in extended permit ip host SRVISRV2 any
access-list inside_access_in extended permit ip Internal_All 255.255.255.0 any
access-list SRVIvpn_splitTunnelAcl standard permit Internal_All 255.255.255.0
access-list inside_nat0_outbound extended permit ip Internal_All 255.255.255.0 10.1.1.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPNpool 10.1.1.185-10.1.1.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 209.1.1.120-209.1.1.126 netmask 255.255.255.224
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) SRVI-FTP_OUT SRVI-FTP netmask 255.255.255.255
static (inside,outside) SRVSRV2_OUT SRVISRV2 netmask 255.255.255.255
static (inside,outside) SRVISRV1_OUT SRVISRV1 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.1.1.97 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http Internal_All 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 64.103.36.133 255.255.255.255 outside
ssh timeout 5
console timeout 0

group-policy SRVIvpn internal
group-policy SRVIvpn attributes
 wins-server value 10.1.1.5 10.1.1.8
 dns-server value 10.1.1.5 10.1.1.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SRVIvpn_splitTunnelAcl
 default-domain value SRVINET.COM
username x password V6TEyok1IWRLNv.2 encrypted privilege 15
username x password dw0qiTJW/eKeyF6Z encrypted privilege 0
username x attributes
 vpn-group-policy SRVIvpn
tunnel-group SRVIvpn type ipsec-ra
tunnel-group SRVIvpn general-attributes
 address-pool VPNpool
 default-group-policy SRVIvpn
tunnel-group SRVIvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:759b12e58639f452c3d58386f12ae69c
: end
asdm image disk0:/asdm-524.bin
asdm location SRVISRV2 255.255.255.255 inside
asdm location SRVI-FTP 255.255.255.255 inside
asdm location Securence_2 255.255.255.192 inside
asdm location Securence_1 255.255.255.0 inside
asdm location Internal_All 255.255.255.0 inside
asdm location Bad_Toolbar_Guy 255.255.255.255 inside
asdm location Harrison_SQL 255.255.255.255 inside
asdm location SRVISRV1 255.255.255.255 inside
asdm location SRVISRV1_OUT 255.255.255.255 inside
no asdm history enable


0
Comment
Question by:jrri
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 4

Expert Comment

by:Chris James
Comment Utility
Is it enabled in the exchange management console?
0
 
LVL 4

Expert Comment

by:Chris James
Comment Utility
When you type in the URL with just http does it say it requires a secure https connection to view OWA?
0
 
LVL 1

Author Comment

by:jrri
Comment Utility
it was already functioning but I recently replaced the old firewall

no, just nothing
0
 
LVL 4

Expert Comment

by:Chris James
Comment Utility
Confirm it is running in the exchange management console if you can.
0
 
LVL 1

Author Comment

by:jrri
Comment Utility
IIS manager says web site is running, any other way to tell?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Accepted Solution

by:
Chris James earned 134 total points
Comment Utility
Yes, the IIS is running but you have to go through the Exchange Management Console application (actually run EMC)

http://technet.microsoft.com/en-us/library/bb124124(EXCHG.80).aspx
0
 
LVL 1

Author Comment

by:jrri
Comment Utility
great, not only am i a firewall moron but now an exchange one.  I can't find the management console.  the link you gave was for exchange 2007.  i have exchange system manager, is that it?
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 133 total points
Comment Utility
You can find it by going to Administrative Tools >> Exchange Management Console.
Cheers!
BTW your config for the ASA looks good!
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 133 total points
Comment Utility
Agreed - cant see anything wrong with the firewall config

is it working internally?

https://{internal IP}/exchange

0
 
LVL 1

Author Closing Comment

by:jrri
Comment Utility
Now I'm only half a moron.  I went home for lunch and it worked fine.  We had an HTTP site on one server that forwarded stuff to the HTTPS to another server for OWA.  When I installed the new firewall I didn't include the 1st site which was http because it seemed redundant.   A user in the office mentioned they couldn't get to it but that's because it the http was not allowed.  i was trying the https from inside the office  which wasn't allowed so now i'm only the moron for the OWA thing.  the points were split, dj_ludachris: was first and persistent and Pugglewuggle and Pete were correct.  

Thanks for the help
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Glad to help  - ThanQ
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now