rmdb
asked on
Problem with OWA deployment in ISA Server 2006 and Cisco ASA 5510
Hi all,
I'm deploying OWA with ISA Server 2006 as a back Firewall and with Cisco ASA 5510 in the perimeter.
Because there is already a NAT in Cisco from one public ip (10.19.0.227) to one ip in ISA External NIC (192.168.21.12, so that people in our company go to web using one specific IP Address), I intended to publish our Webmail using a different public IP, So I've nated a second public Ip in Cisco (10.19.0.229) to another External IP, that I've configured in ISA (192.168.21.15).
The problem is that I can't access Webmail from the Internet using the second public IP (10.19.0.229), but I can access it using the first IP (10.19.0.227), which is used to go to the web...
So, some questions arise:
- Is there any security issue/best practices which states that it is not recomended to have webmail on the same public ip used by the organization to "go" to the web?
- I think that ISA is not working because, despite the fact that ISA is able to "hear" multiple IPs, it only sends information using the first IP configured on the external NIC. Is this true? Is there any way to bypass this?
- Any other recomendation?
I'm deploying OWA with ISA Server 2006 as a back Firewall and with Cisco ASA 5510 in the perimeter.
Because there is already a NAT in Cisco from one public ip (10.19.0.227) to one ip in ISA External NIC (192.168.21.12, so that people in our company go to web using one specific IP Address), I intended to publish our Webmail using a different public IP, So I've nated a second public Ip in Cisco (10.19.0.229) to another External IP, that I've configured in ISA (192.168.21.15).
The problem is that I can't access Webmail from the Internet using the second public IP (10.19.0.229), but I can access it using the first IP (10.19.0.227), which is used to go to the web...
So, some questions arise:
- Is there any security issue/best practices which states that it is not recomended to have webmail on the same public ip used by the organization to "go" to the web?
- I think that ISA is not working because, despite the fact that ISA is able to "hear" multiple IPs, it only sends information using the first IP configured on the external NIC. Is this true? Is there any way to bypass this?
- Any other recomendation?
Justin Ellenbecker
Not sure if you are changing them but 10.19.0 is not a public IP address. You can create policies in the ISA to send out multiple adapters but its been a while since i did it and that was in 04. I think first we need to make sure that you are even getting traffic to the PIX.
ASKER
Hi StrifeJester,
- 10.19.0.xxx is not changed, our ISP NATs multiple Public IPs so VLAN 10.19.0.xxx. But that works well, no problems there.
- Cisco receives the traffic correctly. The problem is that if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.12 (first configured) everything works great, but if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.15 (second configured) then I don't even receive an error message, as if there was nothing listening on the IP.
Here is my ISA ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : msisa
Primary Dns Suffix . . . . . . . : mydomain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.com
Ethernet adapter Internal Network:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : **-**-**-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.20.201
192.168.20.202
Ethernet adapter - DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : **-**-**-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.21.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.21.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.1
DNS Servers . . . . . . . . . . . : 192.168.20.201
192.168.20.202
- 10.19.0.xxx is not changed, our ISP NATs multiple Public IPs so VLAN 10.19.0.xxx. But that works well, no problems there.
- Cisco receives the traffic correctly. The problem is that if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.12 (first configured) everything works great, but if I NAT 10.19.0.229 to ISA External NIC IP 192.168.21.15 (second configured) then I don't even receive an error message, as if there was nothing listening on the IP.
Here is my ISA ipconfig:
Windows IP Configuration
Host Name . . . . . . . . . . . . : msisa
Primary Dns Suffix . . . . . . . : mydomain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mydomain.com
Ethernet adapter Internal Network:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : **-**-**-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.20.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.20.201
192.168.20.202
Ethernet adapter - DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : **-**-**-**-**-**
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.21.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.21.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.1
DNS Servers . . . . . . . . . . . : 192.168.20.201
192.168.20.202
ASKER
Can anybody please help... ?
In ISA do you have a listener setup, since ISA acts as a firewall you will need a listener setup for that port unfortunately I a do not remember the steps for this. I will see if I can find the steps though and get back to you if you are unfamiliar with how to do this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.