?
Solved

Cisco Router Port Forwarding Challenge

Posted on 2011-05-09
1
Medium Priority
?
599 Views
Last Modified: 2012-05-11
Hi Experts,

I am having a challenge accessing the exchange server located on the dmz of the cisco ASA5505.
the major challenge is that while i am able to access the exchange server from within the inside network i.e 172.19.30.0/24 network, i am unable to do same from the internet.
i believe i have put in the appropriate configurations in both the Router and the Firewall.
One interesting thing is that it appears that the ports 443, 143, and 25 are not open on the 41.58.X.104 ip address. The only port that seems to be open is the telnet port and i wonder why.
Also i noticed that when i issue a telnet command to the exchange server from the router, it fails to connect. What exactly am i doing wrong.
Kindly help intervene.
I have attached the relevant configs.
Also note that Natting is done on the router and not the ASA.
The ASA has " no nat-control " configured on it.

Regards

 Exchange-Server-Scenario.vsd ASA.txt Router.txt
0
Comment
Question by:salvatorepp
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 2000 total points
ID: 35719628
I'm not an Exchange expert, but I did find the following on http://support.microsoft.com/kb/176466:  

"The ports that IMAP4 clients use when accessing messages on an Exchange Server computer depend on the authentication method in use. With Basic or NTLM authentication and TCP, the IMAP4 server listens on TCP port 143 for any incoming connection requests from IMAP4 clients for message download and retrieval. If SSL authentication is used, however, the port on which the Exchange Server computer listens is TCP port 993. Router and firewall setups should therefore take into consideration the access to TCP port 143 or TCP port 993 when this protocol is a supported feature for messaging."  

Might be worth testing out.

One other comment, but which does not explain your trouble, is your outside_in ACL does no good applied inbound on the DMZ interface.  It's specifically for traffic destined for host 172.19.20.2, an address that's on the segment hanging off that interface.  So nothing coming from that segment should ever be destined for the 172.19.20.2 host.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question