[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 694
  • Last Modified:

Problem with OWA deployment in ISA Server 2006 and Cisco ASA 5510

Hi all,

I'm deploying OWA with ISA Server 2006 as a back Firewall and with Cisco ASA 5510 in the perimeter.

Because there is already a NAT in Cisco from one public ip (10.19.0.227) to one ip in ISA External NIC (192.168.21.12, so that people in our company go to web using one specific IP Address), I intended to publish our Webmail using a different public IP, So I've nated a second public Ip in Cisco (10.19.0.229) to another External IP, that I've configured in ISA (192.168.21.15).

The problem is that I can't access Webmail from the Internet using the second public IP (10.19.0.229), but I can access it using the first IP (10.19.0.227), which is used to go to the web...

So, some questions arise:

- Is there any security issue/best practices which states that it is not recomended to have webmail on the same public ip used by the organization to "go" to the web?

- I think that ISA is not working because, despite the fact that ISA is able to "hear" multiple IPs, it only sends information using the first IP configured on the external NIC. Is this true? Is there any way to bypass this?

- Any other recomendation?
0
rmdb
Asked:
rmdb
  • 2
  • 2
1 Solution
 
Justin EllenbeckerIT DirectorCommented:
Not sure if you are changing them but 10.19.0 is not a public IP address.  You can create policies in the ISA to send out multiple adapters but its been a while since i did it and that was in 04.  I think first we need to make sure that you are even getting traffic to the PIX.
0
 
rmdbAuthor Commented:
Hi StrifeJester,

- 10.19.0.xxx is not changed, our ISP NATs multiple Public IPs so VLAN 10.19.0.xxx. But that works well, no problems there.

- Cisco receives the traffic correctly. The problem is that if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.12 (first configured) everything works great, but if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.15 (second configured) then I don't even receive an error message, as if there was nothing listening on the IP.

Here is my ISA ipconfig:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : msisa
   Primary Dns Suffix  . . . . . . . : mydomain.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mydomain.com
                                 

Ethernet adapter Internal Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client)
   Physical Address. . . . . . . . . : **-**-**-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.20.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.20.201
                                       192.168.20.202

Ethernet adapter - DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
 VBD Client) #2
   Physical Address. . . . . . . . . : **-**-**-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.21.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.21.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.21.1
   DNS Servers . . . . . . . . . . . : 192.168.20.201
                                       192.168.20.202
0
 
rmdbAuthor Commented:
Can anybody please help... ?
0
 
Justin EllenbeckerIT DirectorCommented:
In ISA do you have a listener setup, since ISA acts as a firewall you will need a listener setup for that port unfortunately I a do not remember the steps for this.  I will see if I can find the steps though and get back to you if you are unfamiliar with how to do this.
0
 
Keith AlabasterEnterprise ArchitectCommented:
If you have added a second external IP on the ISA external nic, you need to make a change to the original ISA publishing rule. By default, ISA will listen on ALL available external IP addresses that are assigned to it on a web listener.

Edit the first listener and locate where you have told it to listen on the external network. You will see an addresses tab has now appeared (because there is more than one IP address assigned to the nic). In here select only the ip address you want to use for this original published service. Now edit the the new listener and do the same thing but select only the second ip address - the one for the new published service.

Keith
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now