Solved

Cant seem to get OWA through the firewall

Posted on 2008-10-22
6
927 Views
Last Modified: 2013-11-16
We have an ASA and i am trying to open up communication from our exchange server OWA to the outside. Here is the way our setup looks. Our exchange server sits in the local LAN but we have a PGP and a Symantec Mail Security Gateway server in the DMZ that our mail passes through.
Mailserver internal LAN address is 192.168.1.239
When going to the internet and findind the WAN IP from the mailserver it comes back as 12.111.128.186
I try to set a static to it of 12.111.128.184 --> 192.168.1.239 but when i do that the internet dies.
Here is our config below. If someone could help me figure out what i need to do to get OWA to show up on the outside i would be gracious !! I already have a certificate and OWA setup on the inside of the LAN working perfectly.
ASA Version 7.0(6)
!
hostname fhkfw
domain-name XXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX encrypted
no names
name 192.168.3.235 fw2
name 192.168.4.102 relay
name 192.168.4.100 keys-untrusted
name 192.168.4.101 keys-trusted
name 192.168.4.253 vpn
name 192.168.3.234 isa
dns-guard
!
interface GigabitEthernet0/0
 description External Interface
 nameif Outside
 security-level 0
 ip address 12.111.128.186 255.255.255.248
!
interface GigabitEthernet0/1
 description Entry to Internal network
 nameif Inside
 security-level 100
 ip address 192.168.1.235 255.255.255.0
!
interface GigabitEthernet0/2
 description DMZ  entry to web-servers
 nameif DMZ
 security-level 50
 ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/3
 description ACS P2P to FHKC
 nameif ACS
 security-level 25
 ip address 192.168.90.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.5.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome to $(domain).
banner exec UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.
banner login Welcome to $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns retries 5
dns domain-lookup Outside
access-list Outside_access_in extended permit tcp any host 12.111.128.187 eq smtp
access-list Outside_access_in extended permit ip any host 12.111.128.189
access-list Outside_access_in extended permit tcp any host 12.111.128.187 eq pptp  
access-list Outside_access_in extended permit tcp any host 12.111.128.184 eq https
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list outdmz extended permit tcp any host 12.111.128.187 eq smtp
access-list dmzin extended permit tcp host 192.168.4.102 any eq smtp
access-list split extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 192.168.4.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 10.10.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ALLOW_ALL extended permit ip any any
access-list ACSP2P_access_in extended permit tcp any host 192.168.1.245 eq ftp
access-list ACSP2P_access_in extended permit tcp any host 192.168.1.245 eq ftp-data
access-list http-list extended permit ip any any
!
tcp-map tmap
  exceed-mss allow
!
pager lines 24
logging enable
logging timestamp
logging list Log_Everything level warnings
logging list VPN-Traffic level informational class vpn
logging asdm-buffer-size 200
logging monitor notifications
logging asdm debugging
logging from-address webvpn@healthykids.org
logging recipient-address techsupport@healthykids.org level debugging
logging host Inside 192.168.1.253 format emblem
logging debug-trace
logging permit-hostdown
logging class vpn buffered informational trap informational
logging class vpnc trap informational
logging class vpnfo trap informational
logging class vpnlb trap informational
logging class webvpn trap informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ACS 1500
mtu management 1500
ip local pool VpnPool 192.168.12.1-192.168.12.50 mask 255.255.255.0
ip verify reverse-path interface Outside
ip verify reverse-path interface Inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface ACS
ip audit attack action alarm drop
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface DMZ
monitor-interface ACS
monitor-interface management
asdm image disk0:/asdm506.bin
asdm history enable
arp timeout 14400
global (Outside) 200 interface
global (Outside) 100 12.111.128.187 netmask 255.255.255.255
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 200 0.0.0.0 0.0.0.0
nat (DMZ) 200 0.0.0.0 0.0.0.0
static (DMZ,Outside) 12.111.128.189 192.168.4.253 netmask 255.255.255.255
static (Inside,ACS) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,Outside) 12.111.128.188 192.168.4.100 netmask 255.255.255.255
static (DMZ,Outside) 12.111.128.187 192.168.4.201 netmask 255.255.255.255
static (DMZ,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255 ********This is the line i try fo the static that kills the internet **********************************************************
access-group Outside_access_in in interface Outside
access-group ALLOW_ALL in interface DMZ
access-group ACSP2P_access_in in interface ACS
route Outside 0.0.0.0 0.0.0.0 12.111.128.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list ApplicationServer "FHKC USERS (Z:)" cifs://192.168.1.240/users
url-list ApplicationServer "FHKC (M:) Drive" cifs://192.168.1.240/FHKC
url-list ApplicationServer "FHKC USERS ( Z: )" cifs://192.168.1.238/users
url-list ApplicationServer "FHKC Intranet" http://192.168.1.233
url-list ApplicationServer "FHKC ( M: ) Drive" cifs://192.168.1.238/FHKC
url-list ApplicationServer "Outlook Web Access" https://192.168.1.239/exchange
aaa-server healthykids.org protocol nt
 reactivation-mode timed
 max-failed-attempts 5
aaa-server healthykids.org host 192.168.1.230
 nt-auth-domain-controller 192.168.1.230
aaa-server fhkc_author_grp protocol ldap
aaa-server fhkc_authent_grp protocol kerberos
aaa-server fhkc_authent_grp host 192.168.1.230
 kerberos-realm HEALTHYKIDS.ORG
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry file-access file-entry file-browsing
  url-list value ApplicationServer
  port-forward-name value Application Access
group-policy FHKCvpn internal
group-policy FHKCvpn attributes
 banner value XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 banner value +--------------------------------------------------------------------------------------
 banner value This system is for authorized users only. Unauthorized access is prohibited,
 banner value and violators will be  prosecuted. System activity is monitored and keystroke
 banner value entries may be monitored. Anyone using the system expressly consents to such monitoring.
 banner value -------------------------------------------------------------------------------------------------------------+
 wins-server value 192.168.1.230
 dns-server value 192.168.1.230 199.44.22.132
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value healthykids.org
 webvpn
  functions url-entry file-access file-entry file-browsing mapi
  url-list value ApplicationServer
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 management
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
auth-prompt accept Access Granted
auth-prompt reject Access Rejected
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto ca trustpoint my.goDaddy.trustpoint
 enrollment terminal
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 keypair my.goDaddy.key
 crl configure
crypto ca certificate chain my.goDaddy.trustpoint
 certificate 417ede
    30820512 308203fa a0030201 02020341 7ede300d 06092a86 4886f70d 01010505
    003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307 4172697a
    6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018 06035504
    0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504 0b132a68
    7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63 6f6d2f72
    65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479 20536563
    75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931 11300f06
    03550405 13083037 39363932 3837301e 170d3037 31303235 32313431 34355a17
    0d303831 30323532 31343134 355a3065 311f301d 06035504 0a131677 65627670
    6e2e6865 616c7468 796b6964 732e6f72 67312130 1f060355 040b1318 446f6d61
    696e2043 6f6e7472 6f6c2056 616c6964 61746564 311f301d 06035504 03131677
    65627670 6e2e6865 616c7468 796b6964 732e6f72 6730819f 300d0609 2a864886
    f70d0101 01050003 818d0030 81890281 8100ccdc 9127eb50 d914aa4e c6945638
    9dfeff30 6985daf2 c5bfc5b8 e60b4525 6f705e63 2d240864 cf1324d3 0752689f
    41a774da b5551ba4 66fe37e9 efba3a8e f9d6d65c 73235f92 3733d9f0 a74a0566
    3d1882bd 0fb05e8e 516f5f34 65e48046 75586a2c d4730dbf b3c52497 584b1d68
    3f138c36 2ebbd312 74648831 897c7012 d5fb0203 010001a3 8201e730 8201e330
    09060355 1d130402 3000300b 0603551d 0f040403 0205a030 1d060355 1d250416
    30140608 2b060105 05070301 06082b06 01050507 03023056 0603551d 1f044f30
    4d304ba0 49a04786 45687474 703a2f2f 63657274 69666963 61746573 2e676f64
    61646479 2e636f6d 2f726570 6f736974 6f72792f 676f6461 64647965 7874656e
    64656469 73737569 6e672e63 726c3052 0603551d 20044b30 49304706 0b608648
    0186fd6d 01071701 30383036 06082b06 01050507 0201162a 68747470 3a2f2f63
    65727469 66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f
    7279307f 06082b06 01050507 01010473 30713023 06082b06 01050507 30018617
    68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d30 4a06082b 06010505
    07300286 3e687474 703a2f2f 63657274 69666963 61746573 2e676f64 61646479
    2e636f6d 2f726570 6f736974 6f72792f 67645f69 6e746572 6d656469 6174652e
    63727430 1d060355 1d0e0416 04147cf4 05679485 0534d0a6 2d969d27 fe451e0e
    88cf301f 0603551d 23041830 168014fd ac613293 6c45d6e2 ee855f9a bae77699
    68cce730 3d060355 1d110436 30348216 77656276 706e2e68 65616c74 68796b69
    64732e6f 7267821a 7777772e 77656276 706e2e68 65616c74 68796b69 64732e6f
    7267300d 06092a86 4886f70d 01010505 00038201 010085a7 51187110 78ab315a
    c7a43619 5e00551e ba52d320 0540dcd6 59f9a5ee 908450c2 80d18b07 15f88a39
    aea4a696 881a5b1f aa723f3b f1ebd80d d909f9db 37ff1939 44d5adf2 1fdf6801
    39d36e13 e3086f0a 257cf26d 3682229b 7a43dbe7 f27e4e2e 2f443cf1 6b14e5e2
    04240469 c440bb51 9334b09c 9e26ac50 96c9216b 5ac95a04 a96c1c3c 9989cd56
    99927d40 7f92c736 6100baad 165a5da5 56952b73 d524ab2f 66760eaa 65bb1d9d
    e5f58a28 c8960b65 9202fdba f7a429d0 4f889f7f 1398a750 954e3db2 ec89578c
    e01a9db2 933c40f5 6e8fa7ad 28cc9bcd 28803753 f2f51afb 3958338e dcf35a04
    4cd6dd93 e9f33327 f945e6fa 87441066 25e36706 67fc
  quit
 certificate ca 0301
    308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500
    3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f
    20446164 64792047 726f7570 2c20496e 632e3131 302f0603 55040b13 28476f20
    44616464 7920436c 61737320 32204365 72746966 69636174 696f6e20 41757468
    6f726974 79301e17 0d303631 31313630 31353433 375a170d 32363131 31363031
    35343337 5a3081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
    4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
    06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
    0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
    6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
    20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
    11300f06 03550405 13083037 39363932 38373082 0122300d 06092a86 4886f70d
    01010105 00038201 0f003082 010a0282 010100c4 2dd5158c 9c264cec 3235eb5f
    b859015a a6618159 3b7063ab e3dc3dc7 2ab8c933 d379e43a ed3c3023 848eb330
    14b6b287 c33d9554 049edf99 dd0b251e 21de6529 7e35a8a9 54ebf6f7 3239d426
    5595adef fbfe5886 d79ef400 8d8c2a0c bd4204ce a73f04f6 ee80f2aa ef52a169
    66dabe1a ad5dda2c 66ea1a6b bbe51a51 4a002f48 c79875d8 b929c8ee f8666d0a
    9cb3f3fc 787ca2f8 a3f2b5c3 f3b97a91 c1a7e625 2e9ca8ed 12656e6a f6124453
    703095c3 9c2b582b 3d08744a f2be51b0 bf87d04c 27586bb5 35c59daf 1731f80b
    8feead81 36058908 98cf3aaf 2587c049 eaa7fd67 f7458e97 cc1439e2 3685b57e
    1a37fd16 f671119a 743016fe 1394a33f 840d4f02 03010001 a3820132 3082012e
    301d0603 551d0e04 160414fd ac613293 6c45d6e2 ee855f9a bae77699 68cce730
    1f060355 1d230418 30168014 d2c4b0d2 91d44c11 71b361cb 3da1fedd a86ad4e3
    30120603 551d1301 01ff0408 30060101 ff020100 30330608 2b060105 05070101
    04273025 30230608 2b060105 05073001 86176874 74703a2f 2f6f6373 702e676f
    64616464 792e636f 6d304606 03551d1f 043f303d 303ba039 a0378635 68747470
    3a2f2f63 65727469 66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f
    7369746f 72792f67 64726f6f 742e6372 6c304b06 03551d20 04443042 30400604
    551d2000 30383036 06082b06 01050507 0201162a 68747470 3a2f2f63 65727469
    66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f 7279300e
    0603551d 0f0101ff 04040302 0106300d 06092a86 4886f70d 01010505 00038201
    0100d286 c0ecbdf9 a1b667ee 660ba206 3a04508e 1572ac4a 749553cb 37cb4449
    ef07906b 33d996f0 9456a513 30053c85 32217bc9 c70aa824 a490de46 d3252314
    0367c210 d66f0f5d 7b7acc9f c5582ac1 c49e21a8 5af3aca4 46f39ee4 63cb2f90
    a4292901 d9722c29 df370127 bc4fee68 d3218fc0 b3e4f509 edd210aa 53b4bef0
    cc590bd6 3b961c95 2449dfce ecfda748 9114450e 3a366fda 45b345a2 41c9d4d7
    444e3eb9 7476d5a2 13552cc6 87a3b599 ac068487 7f7506fc bf144c0e cc6ec4df
    3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
    776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
  quit
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group FHKCvpn type ipsec-ra
tunnel-group FHKCvpn general-attributes
 address-pool VpnPool
 authorization-server-group LOCAL
 default-group-policy FHKCvpn
tunnel-group FHKCvpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 60
ssh version 2
console timeout 60
management-access Inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map http
 match access-list http-list
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect http
  inspect dns maximum-length 1024
  inspect esmtp
 class http
  set connection advanced-options tmap
policy-map DfltGrpPolicy
!
service-policy global_policy global
tftp-server Inside 192.168.1.49 ASAConfig_04302008.txt
ssl trust-point my.goDaddy.trustpoint
ssl trust-point my.goDaddy.trustpoint Outside
ssl trust-point my.goDaddy.trustpoint Inside
webvpn
 enable Outside
 title XXXXXXXXXXXXXXXXXXXXXXXXXX
 nbns-server 192.168.1.230 master timeout 2 retry 2
 authentication-server-group XXXXXXXXXXXXXXXXXXXXXX
smtps
 enable DMZ
 port 25
 server 192.168.4.101
 authentication-server-group XXXXXXXXXXXXXXXXXXXXXXXXXXXX
 authorization-server-group LOCAL
 default-group-policy DfltGrpPolicy
smtp-server 192.168.1.239
Cryptochecksum:6b1bb2e5b65e6bc1f704180fd35ecc5a
: end
0
Comment
Question by:HealthyKids
  • 3
  • 2
6 Comments
 
LVL 4

Expert Comment

by:urgoll
ID: 22779396
Hello,
first of all, the line that kills the internet :
static (DMZ,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255

should really be:

static (Inside,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255

Please try and let me know.

Regards,
Christophe
0
 

Author Comment

by:HealthyKids
ID: 22779448
That was actually a mistake on trying some things and i accidentally left that in there.
I did it the exact way you said to no avail.
Still kills the internet everytime i add a static in for the mail server.
0
 
LVL 1

Expert Comment

by:jleleux
ID: 22779787
It might be a problem w/ your NAT statements.  Try changing your NAT DMZ and Inside statements to reflect the corresponding internal LAN's.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:HealthyKids
ID: 22779963
Give me an example of how you are suggesting me to change it
0
 
LVL 1

Assisted Solution

by:jleleux
jleleux earned 500 total points
ID: 22780140
Never mind I was wrong, please disregard the comment.
0
 

Accepted Solution

by:
HealthyKids earned 0 total points
ID: 22787677
Figured it out
Thanks anyway

The problem was the company controlling our DNS didnt tell us that the IP i was using for the mail server was out network IP !
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now