?
Solved

ASA 5505

Posted on 2008-11-18
5
Medium Priority
?
727 Views
Last Modified: 2012-08-13
Dear All,
I have a ADSL modem (Aztech PPPoA) connected to ASA outside port and the inside is connected to my LAN. Internet is working fine no probs at all. I have a exchange which is connected to my Head office over the ISDN through Cisco router 800 series so it doesnt have a real IP. I want users to access OWA from outide the office over the internet for that purpose I need ASA to forward any HTTP request from internet to my exchange server.
Please Advice.
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HqvNNFh6cttwap5m encrypted
passwd O/qBJxMIGlusFmGG encrypted
names
name 172.18.131.11 SHLSVDC001
name 172.18.131.12 SHLSVEX001
name 172.18.131.14 SHLSVISA001
name 172.16.0.0 HeadOffice
name 172.18.131.165 Guest
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.131.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Servers
 network-object host SHLSVDC001
 network-object host SHLSVEX001
 network-object host SHLSVISA001
access-list inside_access_in extended permit ip object-group Servers any
access-list inside_access_in extended permit ip host Guest any
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route inside HeadOffice 255.255.0.0 172.18.131.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.18.131.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.18.131.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.131.3-172.18.131.130 inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0b44a736c28117b54b1eb1a3b0e1c5f1
: end

Open in new window

0
Comment
Question by:Zabee_80
  • 2
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
RTh0037 earned 1500 total points
ID: 22991669
Hi,

You can do this several ways.  The easist is to create a static PAT that maps a global external IP/port  from your IP block to the exchange server and then allow ACLs on outside interface.  Since you are using DHCP on your external interface this becomes tough.  You could set it up but if the external Ip changes this setup becomes invalid.  I would test this for now and then request a static public IP address:

You would need to add

static (inside,outside) tcp interface 80 SHLSVEX001 80 netmask 255.255.255.255

access-list outside_access_in remark ############ Exchange Server ###############
access-list outside_access_in permit tcp any host interface eq www
access-list outside_access_in permit tcp any host interface eq smtp
access-list outside_access_in permit tcp any host interface eq pop3



0
 

Author Comment

by:Zabee_80
ID: 22991722
Thanks for the quick reply.
no its not working, i am not able to access my OWA from internet (http://sama-habtoor.sytes.net/exchange).
ciscoasa# sh ru
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HqvNNFh6cttwap5m encrypted
passwd O/qBJxMIGlusFmGG encrypted
names
name 172.18.131.11 SHLSVDC001
name 172.18.131.12 SHLSVEX001
name 172.18.131.14 SHLSVISA001
name 172.16.0.0 HeadOffice
name 172.18.131.165 Guest
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.131.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Servers
 network-object host SHLSVDC001
 network-object host SHLSVEX001
 network-object host SHLSVISA001
access-list inside_access_in extended permit ip object-group Servers any
access-list inside_access_in extended permit ip host Guest any
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any host SHLSVEX001 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www SHLSVEX001 www netmask 255.255.255.255
 
access-group inside_access_in in interface inside
route inside HeadOffice 255.255.0.0 172.18.131.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.18.131.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.18.131.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.131.3-172.18.131.130 inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0b44a736c28117b54b1eb1a3b0e1c5f1
: end

Open in new window

0
 
LVL 5

Expert Comment

by:arshana
ID: 22993540
OWA works on https, so i think you would need to define port 443 also
0
 

Author Comment

by:Zabee_80
ID: 22994347
Mine is working on HTTP by modifying exchange server registry.
0
 
LVL 3

Expert Comment

by:RTh0037
ID: 22998365
do a show run and check the hit count on the http ACLs to verify its making it there.

Also try to ping from the ASA to the exchange server and post results.

Thanks!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 6 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question