Access internal OWA on Exchange 2003 from External IP through Cisco ASA

You have to enable hair pinning.  Since you are leaving and coming in off the same interface.  This should help you as an example.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

same-security-traffic permit intra-interface

!--- Enable hairpinning.

global (outside) 1 interface

!--- Global statement for client access to the Internet.

global (inside) 1 interface <--------------------------------------------------------- this one

!--- Global statment for hairpinned client access through
!--- the security appliance.

nat (inside) 1 192.168.100.0 255.255.255.0

!--- The NAT statement defines which traffic should be natted.  
!--- The whole inside subnet in this case.

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

!--- Static NAT statement mapping the WWW server's real address to a
!--- public address on the outside interface.

static (inside,inside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 <--------------------------------------------------------- and this one

!--- Static NAT statment mapping requests for the public IP address of
!--- the WWW server that appear on the inside interface to the WWW server's
!--- real address of 192.168.100.10.

Where are you, physically, when you try to access the OWA? Are you inside, or on the outside, say from home?
An ACL and a Static like you have is typically all you need to access it from home. Is the "EXTERNAL_IP" the same as the interface IP? If not, it could be a ISP problem.
Do you have ProxyARP enabled on the outside interface? It must be enabled to use static nat to any IP other than the interface itself.

I'm trying from an external connection, i.e. 3G modem or home DSL and it fails to work, nor do i see anything getting blocked on the ASA. However the OWA is definitely working from the internal network.

the external IP is another IP within our purchased subnet, but not the interface's external IP

Hi - ProxyArp looks to be enabled, is there any command I can run to confirm ? I checked through the entire config and there is no indication of "no sysopt proxyarp"

Proxyarp is usually enabled by default, so if you don't see the no sysopt command, it is a good indication that it is enabled. If you use the ASDM GUI you can check to see yes/no enabled on each interface. proxy arp setting is in the same section as routing.

>access-list Internet extended permit https any host EXTERNAL_IP log
This ace should actually read:

access-list Internet extended permit any host EXTERNAL_IP eq https log

Hi Irmoore - thanks for the ProxyArp tip in the ASDM GUI - PROXYARP is enabled on all interfaces as far as I can see - and these appears to be default setting on the ASA.

However I noticed in Monitoring>arp table>External_IP entry has a "no" for the column Proxy ARP

That just means that the interface IP is not proxied because it is "real"

This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.