Problem with OWA deployment in ISA Server 2006 and Cisco ASA 5510

Hi all,

I'm deploying OWA with ISA Server 2006 as a back Firewall and with Cisco ASA 5510 in the perimeter.

Because there is already a NAT in Cisco from one public ip (10.19.0.227) to one ip in ISA External NIC (192.168.21.12, so that people in our company go to web using one specific IP Address), I intended to publish our Webmail using a different public IP, So I've nated a second public Ip in Cisco (10.19.0.229) to another External IP, that I've configured in ISA (192.168.21.15).

The problem is that I can't access Webmail from the Internet using the second public IP (10.19.0.229), but I can access it using the first IP (10.19.0.227), which is used to go to the web...

So, some questions arise:

- Is there any security issue/best practices which states that it is not recomended to have webmail on the same public ip used by the organization to "go" to the web?

- I think that ISA is not working because, despite the fact that ISA is able to "hear" multiple IPs, it only sends information using the first IP configured on the external NIC. Is this true? Is there any way to bypass this?

- Any other recomendation?
LVL 1
rmdbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
Not sure if you are changing them but 10.19.0 is not a public IP address.  You can create policies in the ISA to send out multiple adapters but its been a while since i did it and that was in 04.  I think first we need to make sure that you are even getting traffic to the PIX.
0
rmdbAuthor Commented:
Hi StrifeJester,

- 10.19.0.xxx is not changed, our ISP NATs multiple Public IPs so VLAN 10.19.0.xxx. But that works well, no problems there.

- Cisco receives the traffic correctly. The problem is that if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.12 (first configured) everything works great, but if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.15 (second configured) then I don't even receive an error message, as if there was nothing listening on the IP.

Here is my ISA ipconfig:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : msisa
   Primary Dns Suffix  . . . . . . . : mydomain.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.com
                                 

Ethernet adapter Internal Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : **-**-**-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.20.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.20.201
                                       192.168.20.202

Ethernet adapter - DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : **-**-**-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.21.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.21.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.21.1
   DNS Servers . . . . . . . . . . . : 192.168.20.201
                                       192.168.20.202
0
rmdbAuthor Commented:
Can anybody please help... ?
0
Justin EllenbeckerIT DirectorCommented:
In ISA do you have a listener setup, since ISA acts as a firewall you will need a listener setup for that port unfortunately I a do not remember the steps for this.  I will see if I can find the steps though and get back to you if you are unfamiliar with how to do this.
0
Keith AlabasterEnterprise ArchitectCommented:
If you have added a second external IP on the ISA external nic, you need to make a change to the original ISA publishing rule. By default, ISA will listen on ALL available external IP addresses that are assigned to it on a web listener.

Edit the first listener and locate where you have told it to listen on the external network. You will see an addresses tab has now appeared (because there is more than one IP address assigned to the nic). In here select only the ip address you want to use for this original published service. Now edit the the new listener and do the same thing but select only the second ip address - the one for the new published service.

Keith
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.