Link to home
Start Free TrialLog in
Avatar of oscarhic
oscarhicFlag for United States of America

asked on

OWA (Outlook Web Access)

We're having some problems with our OWA.
We're able to use it just fine internally but the problem we're having is that we can't access it externally.
It has worked in the past.
The firewall were using is a Cisco ASA5510 (just added to the network)
When we attempt to connect to it externally, as email.xyz.com the page isnt found.
Im able to ping email.xyz.com externally and it reply back successfully.
We have other devices that are working find behind the new firewall.

What can it be?
Avatar of MikeKane
MikeKane
Flag of United States of America image

You might want to post the config of the ASA (removing any personal items).    For OWA to work through an ASA you will need either a STATIC 1 to 1 map or  a Port forward from the external ip to the internal IP.   In addition, you will need to create an ACL to allow traffic for port 80 and 443 to the OWA server.

Post the config and I can have a look.  
Avatar of oscarhic

ASKER

MikeKane:
Here is the config.
ASA Version 8.0(4) 
!
hostname ccfd-fw1
domain-name 
enable password encrypted
passwd encrypted
no names
name 10.63.0.0 CCFDInsideNetwork description CCFD Inside Network
name 10.63.1.0 ITS description ITS STAFF
name 10.63.6.0 Station06 description Station 6 Network
name 10.63.7.0 Station07 description Station 7 Network
name 10.37.0.0 ClackamasCountyCCOM
name 10.32.100.0 ClackamasCountyWorkstation
name 10.63.1.20 Firepass description Firepass SSL VPN
name 10.63.150.223 Unity description Unity
name 10.63.230.40 SwitchAccessTempTest description Switch Access Test
name (IP)  Paul-Test-Remote
name 10.63.200.3 Exchange-Sophos description Exchange mail.ccfd1.com/filtering
name (IP)  FirepassOutside
name (IP)  NagiosOutside
name (IP)  SophosOutside
name (IP)  UnityOutsideTemp
name (IP)  WebserverOutside
name 10.63.1.40 SophosWeb
name 10.63.1.221 SunPro
name 10.63.1.1 CADWrkstn description Hicks
name 10.63.10.12 CADWrkstn01 description Martin
name 10.63.21.15 CADWrkstn02 description Gorman
name 10.63.21.18 CADWrkstn03 description Noble
name 10.63.21.60 CADWrkstn04 description Hillseland
name 10.63.21.12 CADWrkstn05 description Smith
name 10.63.1.22 Webserver description www.clackamasfire.com
name (IP)  NetMotion01 description CCSO
name (IP)  NetMotion02 description CCSO
name (IP)  NetMotionOutside description NetMotion
name 10.63.120.53 Nagios description Network Management Station CCSO
name 10.63.1.219 Backend_Exchange description Exchange 2003
name 10.63.200.2 OWA_FrontEnd_Exchange description WEBMAIL
name (IP)  OwaOutside
dns-guard
!
interface Ethernet0/0
 nameif Inside
 security-level 90
 ip address 10.63.222.9 255.255.255.248 
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Outside
 security-level 0
 ip address (IP)  255.255.255.240 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.63.222.2 255.255.255.248 
 management-only
!
banner exec This is a monitored and secured device.  All access must be authorized.  Unauthorized users must DISCONNECT NOW!
banner exec This is a monitored and secured device.  All access must be authorized.  Unauthorized users must DISCONNECT NOW!
banner login This is a monitored and secured device.  All access must be authorized.  Unauthorized users must DISCONNECT NOW!
banner login This is a monitored and secured device.  All access must be authorized.  Unauthorized users must DISCONNECT NOW!
banner asdm Welcome - This is a monitored and secured device.  All access must be authorized.  Unauthorized users must DISCONNECT NOW!
banner asdm Welcome - This is a monitored and secured device.  All access must be authorized.  Unauthorized users must DISCONNECT NOW!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 10.63.1.216
 name-server 10.63.21.224
 name-server 10.63.10.225
 domain-name clackamasfire.com
same-security-traffic permit intra-interface
object-group network CCFDInsideNetwork
 description CCFD Inside Network
 network-object 10.63.0.0 255.255.0.0
object-group network CCFD1-Stations
 description CCFD1 Station Networks
 network-object 10.63.6.0 255.255.255.0
 network-object 10.63.7.0 255.255.255.0
object-group network ClackamasCounty
 description Clackamas County CCOM Access VPN
 network-object 10.32.100.0 255.255.255.0
 network-object 10.37.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 service-object tcp eq 3389 
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object 10.32.100.0 255.255.255.0
 network-object 10.37.0.0 255.255.255.0
object-group network CAD_Access
 description Workstations with CAD access
 network-object host 10.63.1.1
 network-object host 10.63.10.12
 network-object host 10.63.21.12
 network-object host 10.63.21.15
 network-object host 10.63.21.18
 network-object host 10.63.21.60
object-group network DM_INLINE_NETWORK_2
 network-object host 10.63.1.40
 network-object host 10.63.200.3
object-group network DM_INLINE_NETWORK_3
 network-object host 10.63.1.221
 group-object CAD_Access
object-group service Netmotion udp
 port-object eq 5008
object-group network NetMotionServer
 description CCSO NetMotion Servers
 network-object host 198.245.130.124
 network-object host 198.245.130.126
object-group service Netmotion01 udp
 port-object eq 5008
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group service rdp tcp
 description remote desktop
 port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
access-list Inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any object-group DM_INLINE_TCP_2 
access-list Inside_access_in extended permit ip any any 
access-list Outside_cryptomap extended permit ip 10.63.0.0 255.255.0.0 object-group ClackamasCounty 
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_TCP_4 host (IP)  object-group DM_INLINE_TCP_1 
access-list Outside_access_in extended permit esp any any 
access-list Outside_access_in extended permit udp any any eq 4500 
access-list Outside_access_in extended permit udp any any eq isakmp 
access-list Outside_access_in extended permit icmp any any inactive 
access-list Outside_access_in remark Nagios Incoming Rule
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host (IP)  
access-list Outside_access_in extended permit tcp any host (IP)  eq smtp 
access-list Outside_access_in extended permit ip any host (IP)  
access-list Outside_access_in extended permit tcp any host (IP)  eq www 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 173.8.198.160 255.255.255.252 host 66.206.80.182 
access-list Outside_access_in extended permit udp any 10.63.0.0 255.255.0.0 eq ntp 
access-list Outside_access_in extended permit ip object-group ClackamasCounty host 10.63.1.221 
access-list Outside_access_in extended deny ip any any 
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_1 
access-list Inside_nat_static_6 extended permit ip host 10.63.120.53 any 
access-list Inside_nat_static_1 extended permit ip host 10.63.150.223 any 
access-list Inside_nat_static_2 extended permit ip host 10.63.1.20 any 
access-list Inside_nat_static_3 extended permit ip host 10.63.200.3 any 
access-list Inside_nat_static_4 extended permit tcp host 10.63.200.2 eq www any 
access-list Inside_nat_static_5 extended permit ip host 10.63.1.22 any 
pager lines 24
logging enable
logging timestamp
logging buffer-size 409600
logging monitor debugging
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
ip audit name Outside attack action alarm
ip audit name OutsideInfo info action alarm
ip audit interface Outside OutsideInfo
ip audit interface Outside Outside
no failover
icmp unreachable rate-limit 48 burst-size 2
icmp permit any Inside
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.63.0.0 255.255.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp (OWA-IP)  www access-list Inside_nat_static_4 
static (Inside,Outside) (WEB IP)  access-list Inside_nat_static_5 
static (Inside,Outside) (IP)  access-list Inside_nat_static_3 
static (Inside,Outside) (IP)  access-list Inside_nat_static_6 
static (Inside,Outside) (IP)  access-list Inside_nat_static_2 
static (Inside,Outside) (IP)  access-list Inside_nat_static_1 
static (Inside,Outside) (IP)  10.63.222.11 netmask 255.255.255.255 
access-group Inside_access_in in interface Inside
access-group Outside_access_in in interface Outside
!
router eigrp 100
 no auto-summary
 eigrp router-id 10.63.222.9
 network 10.63.0.0 255.255.0.0
 passive-interface Outside
 passive-interface management
!
route Outside 0.0.0.0 0.0.0.0 66.206.80.190 1
route Inside 10.63.0.0 255.255.0.0 10.63.222.10 200
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record AdminAccess
 description "Admin Access"
http server enable
http 10.63.0.0 255.255.0.0 Inside
http 10.63.0.0 255.255.0.0 management
http X.X.X.X  255.255.255.248 Outside
http 173.8.198.160 255.255.255.252 Outside
snmp-server host Inside 10.63.1.200 community 
snmp-server location 
snmp-server contact 
snmp-server community 
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface Outside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.63.1.0 255.255.255.0 Inside
telnet timeout 5
ssh scopy enable
ssh 10.63.0.0 255.255.0.0 Inside
ssh timeout 5
console timeout 10
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.63.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 173.8.198.160 255.255.255.252
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18 source Outside prefer
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 rc4-sha1
webvpn
 enable Outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username password encrypted privilege 15
username password encrypted privilege 15
tunnel-group 198.245.132.2 type ipsec-l2l
tunnel-group 198.245.132.2 ipsec-attributes
 pre-shared-key *
 peer-id-validate cert
 isakmp keepalive disable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ctiqbe 
  inspect dcerpc 
  inspect icmp 
  inspect icmp error 
  inspect ils 
  inspect ipsec-pass-thru 
  inspect mgcp 
  inspect pptp 
  inspect snmp 
  inspect waas 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:dc88aed3d79904030f9ab22d07737fa8
: end

Open in new window

Does any internal service work?   That config seems over complex for no reason, I'm pushing my limits on ASA here....   but here's what I see:

#1 there is no outside_access_in rule to allow 80 and 443 to the OWA-IP
you need something like:
access-list Outside_access_in extended permit tcp any host (OWA-IP)  eq www
access-list Outside_access_in extended permit tcp any host (OWA-IP)  eq https


#2 It looks to me like this acl is reversed.   The acl would list the source 1st and destination 2nd  
access-list Inside_nat_static_4 extended permit tcp host 10.63.200.2 eq www any
Its telling me to match this ACL if the source is the internal server with port 80.  Seems reversed to me..   I've not tried a config like this before.    IF this config is passing info to the internal server like this, then you need to have a port 443 on the acl as well.  
access-list Inside_nat_static_4 extended permit tcp host 10.63.200.2 eq https any

Its not very intuitive.    

The usual setup for this is simply the following

static (inside, outside) <outside OWA ip> 10.63.200.2 netmask 255.255.255.255

access-list Outside_access_in extended permit tcp any host <outside OWA ip> eq www
access-list Outside_access_in extended permit tcp any host <outside OWA ip> eq https

access-group Outside_accesS_in in interface outside  



With all the acl matches you are using, it looks to me like you want to port forward from 1 external IP to various internal boxes.   This is fine and normal, but I've never seen anyone use ACL's to match internal ports....   Not to mean its incorrect in any way, just out of my experience.




By "service" I am assuming you are referring to other translated hosts. The answer is yes, they all work externally except for OWA,  All services work internally including OWA..
There is a rule, you need to also provide the object groups and protocol groups.  I did notice that the rule was misentered, but after correcting it, there is no change. My next step is to remove all FW config for OWA and rebuild it fresh. I expect better results this time. I will keep you posted, if this resolves the issue I will award points accordingly. If not, you will hear from me again. :)
ASKER CERTIFIED SOLUTION
Avatar of MikeKane
MikeKane
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
From teh syslog we were able to determine the ISP was using our translated address for OWA as a test IP within their internal network. Thanks for the syslog tip.