topic Re: ASA5505 trouble opening port 443 for remote users Groupwise in Network Security

ASA5505 trouble opening port 443 for remote users Groupwise WebAccess

thomas.estes — Mon, 11 Mar 2019 10:26:36 GMT

We have a GroupWise server running WebAccess sitting behind ASA5505. I have opened port 25 and can send and recieve emails but can't get access to WebAccess. I can internally at https://192.168.1.50/servlet/webacc and everything is running fine. But when I try it externally via https://66.64.x.x/servlet/webacc I have no luck.

Below is the relevant setup information.

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address 66.64.x.x 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

access-list out2in extended permit tcp any any eq smtp

access-list out2in extended permit tcp any any eq https

access-list out2in extended permit tcp any any eq 9850

access-list out2in extended permit tcp any any eq 1677

access-list out2in extended permit tcp any any eq 7205

access-list out2in extended permit udp any any eq 443

access-list out2in extended permit udp any any eq 9850

access-list out2in extended permit udp any any eq 1677

access-list out2in extended permit udp any any eq 7205

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) udp interface 443 192.168.1.50 443 netmask 255.255.255.255

static (inside,outside) udp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) udp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) udp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 66.64.x.x 1

Re: ASA5505 trouble opening port 443 for remote users Groupwise

acomiskey — Thu, 07 Jun 2007 14:45:37 GMT

It's tcp, not udp

static (inside,outside) udp interface 443 192.168.1.50 443 netmask 255.255.255.255

access-list out2in extended permit udp any any eq 443

should be...

static (inside,outside) tcp interface 443 192.168.1.50 443 netmask 255.255.255.255

access-list out2in extended permit tcp any any eq 443

also you can limit your destination in your acl to the outside interface address which is much more secure.

access-list out2in extended permit tcp any host 66.64.x.x eq 443

please rate if it helps.

Re: ASA5505 trouble opening port 443 for remote users Groupwise

thomas.estes — Thu, 07 Jun 2007 15:15:25 GMT

Ok, I deleted the UDP record, and I changed the ACL rule. Still no luck.

I did some digging around around and looked at how the last router was set up and came up with an issue.

We are on a T1 line with a static IP. I have assigned that IP to the outside interface. The ISP has a default gateway which I have routed "outside" to via:

route outside 0.0.0.0 0.0.0.0 66.64.170.y 1

but when I check the IP of the outside interface it is not the static IP that I assigned but is now 66.64.170.z

I see that the old router had a routing rule, but I can't seem to emulate this as there is no default gateway.

Re: ASA5505 trouble opening port 443 for remote users Groupwise

acomiskey — Thu, 07 Jun 2007 15:26:48 GMT

That table shows...

66.64.170.16/29 connected WAN

66.64.170.17 default gateway

192.168.1.0/24 connected LAN

What is the outside ip of the old router? I'm not sure what you mean by, "it is not the static ip that I assigned".

Re: ASA5505 trouble opening port 443 for remote users Groupwise

thomas.estes — Thu, 07 Jun 2007 15:51:05 GMT

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address 66.64.170.18 255.255.255.248

x.x.x.18 is the static IP that I assigned to "outside"

I then do:

route outside 0.0.0.0 0.0.0.0 66.64.170.17 1

to point to the wan gateway.

But it appears that the outside interface is being mapped to 66.64.170.16.

I am confused as I need to translate 66.64.170.18 which is our mx record and points to our internal hosted server. But I have no NAT or routes for the 66.64.170.16 address that appears to be assigned to the outside interface when all along I thought it was 66.64.170.18.

The old router did this but I am not able to duplicate it on the asa5505, do mostly to my ignorance. Thanks for you time and patients.

Re: ASA5505 trouble opening port 443 for remote users Groupwise

acomiskey — Thu, 07 Jun 2007 16:03:34 GMT

"But it appears that the outside interface is being mapped to 66.64.170.16."

.16 is the network address, it is not a host address. It will not be an address on your asa.

66.64.170.16/29

.16 = network address

.17

.18

.19

.20

.21

.22

.23 = broadcast address

All that route table is telling you is that the 66.64.170.16/29 network is attached to the WAN interface, NOT that .16 is the external address.

Re: ASA5505 trouble opening port 443 for remote users Groupwise

thomas.estes — Thu, 07 Jun 2007 16:16:07 GMT

Ok.

I have to route:

route outside 0.0.0.0 0.0.0.0 66.64.170.17 1

or I have no internet access. Do I need the other route to .16 that was set up on the previous router?

Re: ASA5505 trouble opening port 443 for remote users Groupwise

acomiskey — Thu, 07 Jun 2007 16:21:30 GMT

No, there is no need to route to .16, for one this is not a host and two the .16/29 network is directly attached to the pix. You should be good to go then, .17 is your gateway, .18 is outside of ASA.

Re: ASA5505 trouble opening port 443 for remote users Groupwise

thomas.estes — Thu, 07 Jun 2007 16:23:06 GMT

But I am still unable to connect. Follow steps above. How can I troubleshoot or log further?

Re: ASA5505 trouble opening port 443 for remote users Groupwise

acomiskey — Thu, 07 Jun 2007 16:25:32 GMT

Are you sure .17 is gateway? You can get to the internet? Post your new config with changes made.

Re: ASA5505 trouble opening port 443 for remote users Groupwise

thomas.estes — Thu, 07 Jun 2007 16:32:14 GMT

Yes. .17 Is gateway confirmed with ISP. I can get to the internet (posting here from behind router).

I ran log and I do not see any translation going from .18 to 192.168.1.50

Result of the command: "show running-config"

: Saved

ASA Version 7.2(2)

hostname ASA5505

domain-name amcinc.us

enable password 8aPd93D5bXaT2fFZ encrypted

names

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address 66.64.170.18 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

access-list out2in extended permit tcp any any eq smtp

access-list out2in extended permit tcp any any eq https

access-list out2in extended permit tcp any any eq 9850

access-list out2in extended permit tcp any any eq 1677

access-list out2in extended permit tcp any any eq 7205

access-list out2in extended permit udp any any eq 9850 inactive

access-list out2in extended permit udp any any eq 1677 inactive

access-list out2in extended permit udp any any eq 7205 inactive

pager lines 24

logging enable

logging asdm informational

logging from-address thomas.estes@amcinc.us

logging recipient-address thomas.estes@amcinc.us level errors

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0