OWA through ASA

Posted on 2009-04-29
Last Modified: 2012-05-06
Hi I have a ASA5510 and am having trouble getting inbound HTTPS (outlook web access) to work.  Basically I have setup a static NAT into the exchange server and allowed HTTPS to this.  I must be missing something.  If I ping the external ip/url the asa log shows it being blocked (good) but when a user trys to conenct to "" it does not work and the log does not say much - some code attached

* EDIT by modus_in_rebus * edited out IP address
object-group service Webmail tcp

 description HTTP HTTPS

 port-object eq www

 port-object eq https

access-list Outside_access_in extended permit tcp any host object-group Webmail 

static (Data_internal,Outside) netmask 

access-group Outside_access_in in interface Outside

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect mgcp

Open in new window

Question by:gerard_mcveigh
    LVL 14

    Expert Comment

    by:Ehab Salem
    Did you allow outgoing traffic as well?

    Author Comment

    Ah yes ASA blocks oubound by default also?  What would that line look like so I can check?
    LVL 14

    Expert Comment

    by:Ehab Salem
    I am not familiar with ASA firewall, but it should be an access-group for interface inside.

    Author Comment

    Not sure but I can access HTTPS websites from my PC which uses the ASA as its gateway
    LVL 14

    Accepted Solution

    By default, ASA wont block access from a high security interface to a lower security one (internal to external here). The first thing you should check is the static mapping. Browse to from your Exchange server, if you see the static IP, then the IP mapping is correct.

    The next thing to test is routing from the Exchange server, is the server using the ASA as it's default gateway? If it is, can it access the internet?

    * EDIT by modus_in_rebus * edited out IP address

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now