Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

Cisco ASA 5505 Active Sync and OWA page

Hello,

I am replacing an old Linksys with a less old Cisco ASA 5505.  I have the ASA partially working how I want.  The issue I am having is that I can't hit my OWA page from inside the network, and my ActiveSync won't work inside the network.  Both of these services are working from outside the network.  Please tell me how to get these services working from inside my network as well.  Below is my running config

TIA

ASA Version 9.2(2)4
!
hostname ciscoasa
enable password <removed>
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 allow-ssc-mgmt
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network RDP_SERVER
 host 192.168.1.7
object network OLD_SMTP
 host 192.168.1.7
 description Old Server b4 migration
object network HTTPS_SERVER
 host 192.168.1.7
object network HTTP_Server
 host 192.168.1.7
object-group service RDP tcp
 description MS Remote Desktop Protocol
 port-object eq 3389
object-group service Alt_SMTP tcp
 description alternate port for incoming mail
 port-object eq 2525
access-list outside_access_in extended permit tcp any4 object RDP_SERVER object-group RDP
access-list outside_access_in extended permit tcp any4 object HTTPS_SERVER eq https
access-list outside_access_in extended permit tcp any4 object OLD_SMTP object-group Alt_SMTP
access-list outside_access_in extended permit tcp any4 object HTTP_Server eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network RDP_SERVER
 nat (any,outside) static interface service tcp 3389 3389
object network OLD_SMTP
 nat (inside,outside) static interface
object network HTTP_Server
 nat (any,outside) static interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.0 255.255.248.0 inside
http 192.168.1.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 172.16.0.0 255.255.248.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username <removed>
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:d7a44deb769a6c5d027b5a7edf217d6d
: end
0
Zorniac
Asked:
Zorniac
  • 3
  • 2
1 Solution
 
Gareth GudgerCommented:
Both of these services are working from outside the network.  Please tell me how to get these services working from inside my network as well.  Below is my running config

The firewall shouldn't come into play here. Internally these devices should be going directly to Exchange.

I would check how you have DNS configured internally. Do you have split-brain DNS configured?

Also, need to know the version of Exchange you are on.
0
 
ZorniacAuthor Commented:
Hi Gareth,

Yup Thanks, that was it.  I could have swore I created the new zone.  However, I in fact didn't and once I did that made my records, flushed my dns cache it all started working.

So why does a Linksys router work without my split-dns, but an ASA doesn't?
0
 
Gareth GudgerCommented:
Chances are the Cisco router blocks egress and the Linksys does not.

So, everything is good?
0
 
ZorniacAuthor Commented:
yes sir, all is good.  Thank you for your help
0
 
Gareth GudgerCommented:
Glad to help!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now