ASA 5505

Dear All,
I have a ADSL modem (Aztech PPPoA) connected to ASA outside port and the inside is connected to my LAN. Internet is working fine no probs at all. I have a exchange which is connected to my Head office over the ISDN through Cisco router 800 series so it doesnt have a real IP. I want users to access OWA from outide the office over the internet for that purpose I need ASA to forward any HTTP request from internet to my exchange server.
Please Advice.
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HqvNNFh6cttwap5m encrypted
passwd O/qBJxMIGlusFmGG encrypted
names
name 172.18.131.11 SHLSVDC001
name 172.18.131.12 SHLSVEX001
name 172.18.131.14 SHLSVISA001
name 172.16.0.0 HeadOffice
name 172.18.131.165 Guest
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.131.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Servers
 network-object host SHLSVDC001
 network-object host SHLSVEX001
 network-object host SHLSVISA001
access-list inside_access_in extended permit ip object-group Servers any
access-list inside_access_in extended permit ip host Guest any
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route inside HeadOffice 255.255.0.0 172.18.131.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.18.131.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.18.131.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.131.3-172.18.131.130 inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0b44a736c28117b54b1eb1a3b0e1c5f1
: end

Open in new window

Zabee_80Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RTh0037Commented:
Hi,

You can do this several ways.  The easist is to create a static PAT that maps a global external IP/port  from your IP block to the exchange server and then allow ACLs on outside interface.  Since you are using DHCP on your external interface this becomes tough.  You could set it up but if the external Ip changes this setup becomes invalid.  I would test this for now and then request a static public IP address:

You would need to add

static (inside,outside) tcp interface 80 SHLSVEX001 80 netmask 255.255.255.255

access-list outside_access_in remark ############ Exchange Server ###############
access-list outside_access_in permit tcp any host interface eq www
access-list outside_access_in permit tcp any host interface eq smtp
access-list outside_access_in permit tcp any host interface eq pop3



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Zabee_80Author Commented:
Thanks for the quick reply.
no its not working, i am not able to access my OWA from internet (http://sama-habtoor.sytes.net/exchange).
ciscoasa# sh ru
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HqvNNFh6cttwap5m encrypted
passwd O/qBJxMIGlusFmGG encrypted
names
name 172.18.131.11 SHLSVDC001
name 172.18.131.12 SHLSVEX001
name 172.18.131.14 SHLSVISA001
name 172.16.0.0 HeadOffice
name 172.18.131.165 Guest
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.18.131.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GST 4
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Servers
 network-object host SHLSVDC001
 network-object host SHLSVEX001
 network-object host SHLSVISA001
access-list inside_access_in extended permit ip object-group Servers any
access-list inside_access_in extended permit ip host Guest any
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any host SHLSVEX001 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www SHLSVEX001 www netmask 255.255.255.255
 
access-group inside_access_in in interface inside
route inside HeadOffice 255.255.0.0 172.18.131.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.18.131.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.18.131.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.18.131.3-172.18.131.130 inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0b44a736c28117b54b1eb1a3b0e1c5f1
: end

Open in new window

arshanaCommented:
OWA works on https, so i think you would need to define port 443 also
Zabee_80Author Commented:
Mine is working on HTTP by modifying exchange server registry.
RTh0037Commented:
do a show run and check the hit count on the http ACLs to verify its making it there.

Also try to ping from the ASA to the exchange server and post results.

Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.