We help IT Professionals succeed at work.

Access internal OWA on Exchange 2003 from External IP through Cisco ASA

theprefab
theprefab asked
on
Hi,

I am currently trying to access my internal OWA site hosted on our Exchange 2003 server from an external IP over HTTPS. The external IP exists on our "internet" interface and the internal IP exists on our "inside" interface.

Rules created:

ACL:
access-list Internet extended permit https any host EXTERNAL_IP log
NAT:
static (inside,internet) tcp EXTERNAL_IP https INTERNAL_IP https netmask 255.255.255.255

I cannot see the traffic getting through, nor being blocked on the ASA

Thanks
Comment
Watch Question

You have to enable hair pinning.  Since you are leaving and coming in off the same interface.  This should help you as an example.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

same-security-traffic permit intra-interface

!--- Enable hairpinning.

global (outside) 1 interface

!--- Global statement for client access to the Internet.

global (inside) 1 interface <--------------------------------------------------------- this one

!--- Global statment for hairpinned client access through
!--- the security appliance.

nat (inside) 1 192.168.100.0 255.255.255.0

!--- The NAT statement defines which traffic should be natted.  
!--- The whole inside subnet in this case.

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

!--- Static NAT statement mapping the WWW server's real address to a
!--- public address on the outside interface.

static (inside,inside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 <--------------------------------------------------------- and this one

!--- Static NAT statment mapping requests for the public IP address of
!--- the WWW server that appear on the inside interface to the WWW server's
!--- real address of 192.168.100.10.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Where are you, physically, when you try to access the OWA? Are you inside, or on the outside, say from home?
An ACL and a Static like you have is typically all you need to access it from home. Is the "EXTERNAL_IP" the same as the interface IP? If not, it could be a ISP problem.
Do you have ProxyARP enabled on the outside interface? It must be enabled to use static nat to any IP other than the interface itself.

Author

Commented:
I'm trying from an external connection, i.e. 3G modem or home DSL and it fails to work, nor do i see anything getting blocked on the ASA. However the OWA is definitely working from the internal network.

the external IP is another IP within our purchased subnet, but not the interface's external IP

Author

Commented:
Hi - ProxyArp looks to be enabled, is there any command I can run to confirm ? I checked through the entire config and there is no indication of "no sysopt proxyarp"
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
Proxyarp is usually enabled by default, so if you don't see the no sysopt command, it is a good indication that it is enabled. If you use the ASDM GUI you can check to see yes/no enabled on each interface. proxy arp setting is in the same section as routing.

>access-list Internet extended permit https any host EXTERNAL_IP log
This ace should actually read:

access-list Internet extended permit any host EXTERNAL_IP eq https log

Author

Commented:
Hi Irmoore - thanks for the ProxyArp tip in the ASDM GUI - PROXYARP is enabled on all interfaces as far as I can see - and these appears to be default setting on the ASA.

However I noticed in Monitoring>arp table>External_IP entry has a "no" for the column Proxy ARP
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
That just means that the interface IP is not proxied because it is "real"
ok - got this working - it turned out the ISP had used 2 of our free IP addresses for their upstream routers, hence when I tried to use either of them, I never saw the traffic on the ASA.

Thanks
Awarded 2009
Top Expert 2010

Commented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.