• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Allow users to access OWA from LAN using same URL outside of WAN

I have a newly setup OWA server.  It is encrypted using SSL 128-bit.  I would like my users to be able to connect to the OWA server using the same url from the intranet as they would using the internet.  For example they connect to:  https://mail.example.com/exchange from the internet;  however from our intranet they have to use the server's actuall name https://exampleserver/exchange.  This obviously generates a security warning that the certificiate doesn't match the website.  

Is this a DNS server configuration or do I need to allow some sort of intratraffic command to my CISCO ASA?
  • 2
1 Solution
Pete LongTechnical ConsultantCommented:
You can do it in one of two ways - the simplest is to create a DNS forward lookup zone on your internal DNS server
called example.com then create a host (a) record inside it called mail that points to your INTERNAL IP address - so mail.example.com resolved to the internal address without going through the firewall :)

to get your firewall to do it

With Newer Firewalls (PIX v7 upwards and Cisco ASA) your choice depends on....


*****Option 1 (The DNS server that the client are using is outside (in the internet cloud) DNS Doctoring*****

Note: NOT Available for v6 or earlier firewalls

In this scenario you can use DNS Doctoring (Or rewriting) this is where the firewall monitors incoming DNS replied form a public DNS server, and if it sees your public IP address it changes it "In flight" to your private IP address.

For anyone familiar with the Static command you need a to write a Static the WRONG way round and put the word "dns"  on the end of the command.


static (inside,outside) {Inside IP} {Outside IP} netmask dns
Static (inside,outside) netmask dns

*****Option 2 (The DNS server is internal or external) - Hair pinning*****

Note: NOT Available for v6 or earlier firewalls

Assuming you dont want to create in internal DNS zone (that would remove the processing overhead form the firewall and place it on a server) Then you can use Hair pinning. Essentially the firewall will "re-route" traffic destined to the public IP address back to its private address. Like DNS doctoring it uses a static command but without the DNS keyword. It also needs s a second command to enable "hair pinning"

static (inside,inside) {Outside IP} {Inside IP} netmask
same-security-traffic permit intra-interface
static (inside,inside) netmask
same-security-traffic permit intra-interface
ZorniacAuthor Commented:
PeteLong- SWEET Answer man!!  Very quick response. Very detailed!  I tried the intra-interface approach but it didn't work for me.  Propably something on me... but hey the first and "simplest" answer you gave worked!!  Thanks dude you rock!  
Pete LongTechnical ConsultantCommented:
Cheers M8 - my pleasure - have a good one
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now