topic Hi Tim, in Network Security

Not able to access my Exchange server from outside on new ASA-5516

Ken C. Musk — Tue, 26 Mar 2019 00:58:38 GMT

I have a new 5516 ASA that I am trying to get working with our internal Exchange server. For some reason it only works internally. I am not able to hit: https://mail.mydomain.com from the outside.

I have read through the different types of NAT rules and thought I understood, but guess I don't. Anyone able to help out?

My Exchange server has a static NAT for outside use in my subnet so I do not have to my outside interface.

I removed real outside IPs with x.x.x.x and copied the important parts over from the running-config.

AMS-ASA-5516# sho run
: Saved

:
: Serial Number: JAD193800D9
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.5(1)
!
hostname AMS-ASA-5516
domain-name ams.int
enable password ml/91DiSZjZ9eqWz encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ml/91DiSZjZ9eqWz encrypted
names
ip local pool AMS-VPN-POOL 10.10.4.1-10.10.4.200 mask 255.255.255.0
ip local pool AMS-TEST-VPN-POOL 172.16.1.1-172.16.1.50 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.41.188 255.255.252.0
!
interface GigabitEthernet1/3
description Gift-Store-VLAN
nameif VLAN110
security-level 50
ip address 10.110.110.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.40.23
name-server 10.10.40.24
name-server 8.8.8.8
domain-name ams.int
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network AMS-FOX-CAMERA
host 10.10.40.44
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.255.0
object network AMS-INSIDE-SUBNET
subnet 10.10.40.0 255.255.252.0
object network AMS-VPN-HOSTS
subnet 10.10.4.0 255.255.255.0
object network AMS-TEST-VPN-HOSTS
subnet 172.16.1.0 255.255.255.0
object network VLAN110
subnet 10.110.110.0 255.255.255.0
object network EXCHANGE-EXTERNAL-IP
host x.x.x.x
object network AMS-EXCHANGE
host 10.10.40.4
object network EXCHANGE-WWW
host 10.10.40.4
object network EXCHANGE-SMTP
host 10.10.40.4
object network EXCHANGE-HTTPS
host 10.10.40.4
object-group network TIX_SERVERS
network-object host 10.10.40.21
network-object host 10.10.40.22
network-object host 10.10.40.25
access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit icmp any any time-exceeded
access-list outside-acl extended permit icmp any any unreachable
access-list outside-acl extended permit ip 10.10.4.0 255.255.255.0 any
access-list outside-acl extended permit tcp any host x.x.x.x eq 8001
access-list outside-acl extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside-acl extended permit tcp any host x.x.x.x eq smtp
access-list outside-acl extended permit tcp any host x.x.x.x eq www
access-list outside-acl extended permit tcp any host x.x.x.x eq https
access-list inside-acl extended permit tcp host 10.10.40.5 any eq smtp
access-list inside-acl extended permit ip any any
access-list inside-acl extended permit tcp any any eq 69
access-list inside-acl extended permit ip 10.10.40.0 255.255.252.0 interface outside
access-list inside-acl extended permit tcp any any eq https
access-list inside-acl extended permit ip 172.16.1.0 255.255.255.0 10.10.40.0 255.255.252.0
access-list AMS-SPLIT-TUNNEL standard permit 10.10.40.0 255.255.252.0
access-list AMS-SPLIT-TUNNEL standard permit 10.44.22.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 10.44.24.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 216.27.79.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm errors
logging queue 0
mtu outside 1500
mtu inside 1500
mtu VLAN110 1500
ip audit info action drop
ip audit attack action reset
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any unreachable inside
icmp permit any echo inside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (VLAN110,outside) source dynamic VLAN110 interface
nat (inside,outside) source static AMS-INSIDE-SUBNET AMS-INSIDE-SUBNET destination static AMS-VPN-HO
STS AMS-VPN-HOSTS no-proxy-arp route-lookup
nat (inside,outside) source static AMS-INSIDE-SUBNET AMS-INSIDE-SUBNET destination static AMS-TEST-V
PN-HOSTS AMS-TEST-VPN-HOSTS no-proxy-arp route-lookup
nat (inside,outside) source dynamic AMS-INSIDE-SUBNET interface
!
object network AMS-FOX-CAMERA
nat (inside,outside) static x.x.x.x
object network AMS-EXCHANGE
nat (inside,outside) static x.x.x.x
object network EXCHANGE-WWW
nat (inside,outside) static x.x.x.x service tcp www www
object network EXCHANGE-SMTP
nat (inside,outside) static x.x.x.x service tcp smtp smtp
object network EXCHANGE-HTTPS
nat (inside,outside) static x.x.x.x service tcp https https
access-group outside-acl in interface outside
access-group inside-acl in interface inside
route inside 10.10.10.0 255.255.255.0 10.10.40.1 128 track 10
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.10.1.0 255.255.255.0 10.10.40.1 1
route inside 10.44.22.0 255.255.255.0 10.10.40.1 1
route inside 10.44.24.0 255.255.255.0 10.10.40.1 1

Thanks,

Ken~

Hi,

Tim Y — Thu, 12 May 2016 03:41:11 GMT

Hi,

I'm not sure I'm understanding your setup necessarily, however I'll make some assumptions and we can go from there. I am assuming 10.10.40.4 is the IP address of the Exchange server, and X.X.X.X is the static NAT IP you are assigning to it.

In this case, you can configure it this way:

object network EXCHANGE-EXTERNAL-IP
host x.x.x.x

object network AMS-EXCHANGE
host 10.10.40.4

object-group service EXCHANGE-PORTS ! include whatever you need

service-object tcp destination eq 80

service-object tcp destination eq 443

service-object tcp destination eq 25

nat (inside,outside) source static AMS-EXCHANGE EXCHANGE-EXTERNAL-IP

access-list outside-acl line 1 permit object-group EXCHANGE-PORTS any object AMS-EXCHANGE

Also, your ASA needs a route back to 10.10.40.X subnet. I don't know if it's missing or if you just didn't include it.

Hope this helps!

Regards,

Tim

Hi Tim,

Ken C. Musk — Thu, 12 May 2016 13:52:30 GMT

Hi Tim,

I added what you suggested and think that may work. I am not able to test until after hours, so will test again tonight.

Yeah I do have a route back to my inside network. I am able to get everything working, just not OWA, but learning a lot on how to configure an ASA especially the new NAT way.

Thanks,

Ken~

Hi Ken,

Tim Y — Thu, 12 May 2016 15:10:49 GMT

Hi Ken,

Let me know how the testing goes. Make certain to remove any previous NAT's for the Exchange server that might overlap as they can conflict and possibly prevent the new NAT you added from working.

Regards,

Tim

Please don't forget to rate useful posts and mark answers as correct

Hi Tim,

Ken C. Musk — Fri, 13 May 2016 01:29:53 GMT

Hi Tim,

Still doesn't work, but I am getting hits on my nat rule now:

(inside) to (outside) source static AMS-EXCHANGE EXCHANGE-EXTERNAL-IP
translate_hits = 93, untranslate_hits = 0

Where as before I wasn't even getting that. I am thinking it could be one of the following now:

I need to add our certificate to the new ASA

Something in our barracuda spam filter needs to change, but really don't think so as the IP address is not changing.

I am not changing anything on the Exchange Server, just replacing the ASA. Our old ASA is running the old 8.2 code, so I was not able to just copy it over.

I will have to explore more tomorrow, but happy I was able to get this far with your help 🙂

Ken~

Hi,

Tim Y — Fri, 13 May 2016 02:16:16 GMT

Hi,

Glad to hear you're making progress. I didn't realize we were talking about pre 8.3 code. In that case, the ACL rule I provided needs to change as well to:

access-list outside-acl line 1 permit object-group EXCHANGE-PORTS any object EXCHANGE-EXTERNAL-IP

Please make that change and test again. Ensure that you're testing from an external internet connection and that any NAT rules that are overlapping with the new rule are removed.

If it is not working still, then check if there are hits on the new ACL rule. If there are not, then you can set up a packet capture to see what the drop reason is.
If there are hits, then set up a packet trace to debug all the steps and make sure it's getting through.
If that test passes, then something else past the firewall could be blocking the connection.

Regards,

Tim

Hi Tim,

Ken C. Musk — Fri, 13 May 2016 13:38:28 GMT

Hi Tim,

Uhh sorry didn't mean this was the correct answer and no clue how to undo it. 😞

My old ASA which is still in production is on the old code, while the new ASA I am trying to get into production is on the new 9.1 code.

After I made the change yesterday I started getting users saying email was slow when accessing from "Outside" my network, mainly on mobile devices. As soon as I shut the port down on the new ASA the problem went away. Thinking because I as asymmetrical routing going on since both ASA's were up and hosting the same Exchange IP. The new and old ASA have different outside IP address. This way I can have both up next to each other as I migrate over. When I do my testing at night, I just change my default route on my Gateway switch to point to the new ASA.

Below is my current config now:

hostname AMS-ASA-5516
domain-name ams.int
enable password ml/91DiSZjZ9eqWz encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ml/91DiSZjZ9eqWz encrypted
names
ip local pool AMS-VPN-POOL 10.10.4.1-10.10.4.200 mask 255.255.255.0
ip local pool AMS-TEST-VPN-POOL 172.16.1.1-172.16.1.50 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.33 255.x.x.x
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.41.188 255.255.252.0
!
interface GigabitEthernet1/3
description Gift-Store-VLAN
nameif VLAN110
security-level 50
ip address 10.110.110.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.40.23
name-server 10.10.40.24
name-server 8.8.8.8
domain-name ams.int
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network AMS-FOX-CAMERA
host 10.10.40.44
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.255.0
object network AMS-INSIDE-SUBNET
subnet 10.10.40.0 255.255.252.0
object network AMS-VPN-HOSTS
subnet 10.10.4.0 255.255.255.0
object network AMS-TEST-VPN-HOSTS
subnet 172.16.1.0 255.255.255.0
object network VLAN110
subnet 10.110.110.0 255.255.255.0
object network EXCHANGE-EXTERNAL-IP
host x.x.x.31
object network AMS-EXCHANGE
host 10.10.40.4
object-group network TIX_SERVERS
network-object host 10.10.40.21
network-object host 10.10.40.22
network-object host 10.10.40.25
object-group service EXCHANGE-PORTS
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq smtp
service-object tcp destination eq pop3
service-object tcp destination eq 102
service-object tcp destination eq 103
service-object tcp destination eq 5993
service-object tcp destination eq 8001

****Pretty sure this is not needed, but I added just to see****
access-list outside-acl extended permit object-group EXCHANGE-PORTS any object EXCHANGE-EXTERNAL-IP

****This is what you had me add****
access-list outside-acl extended permit object-group EXCHANGE-PORTS any object AMS-EXCHANGE

access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit icmp any any time-exceeded
access-list outside-acl extended permit icmp any any unreachable
access-list outside-acl extended permit ip 10.11.11.0 255.255.255.0 object-group TIX_SERVERS
access-list outside-acl extended permit ip 10.10.4.0 255.255.255.0 any
access-list outside-acl extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside-acl extended permit tcp any host x.x.x.141 eq 8001
access-list inside-acl extended permit tcp host 10.10.40.5 any eq smtp
access-list inside-acl extended permit ip any any
access-list inside-acl extended permit tcp any any eq 69
access-list inside-acl extended permit ip 10.10.40.0 255.255.252.0 interface outside
access-list inside-acl extended permit tcp any any eq https
access-list inside-acl extended permit ip 172.16.1.0 255.255.255.0 10.10.40.0 255.255.252.0

access-list AMS-SPLIT-TUNNEL standard permit 10.10.40.0 255.255.252.0
access-list AMS-SPLIT-TUNNEL standard permit 10.44.22.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 10.44.24.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 216.27.79.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0

pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm errors
logging queue 0
mtu outside 1500
mtu inside 1500
mtu VLAN110 1500
ip audit info action drop
ip audit attack action reset
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any unreachable inside
icmp permit any echo inside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

nat (VLAN110,outside) source dynamic VLAN110 interface

nat (inside,outside) source static AMS-INSIDE-SUBNET AMS-INSIDE-SUBNET destination static AMS-VPN-HOSTS AMS-VPN-HOSTS no-proxy-arp route-lookup

nat (inside,outside) source static AMS-INSIDE-SUBNET AMS-INSIDE-SUBNET destination static AMS-TEST-VPN-HOSTS AMS-TEST-VPN-HOSTS no-proxy-arp route-lookup

nat (inside,outside) source static AMS-EXCHANGE EXCHANGE-EXTERNAL-IP
!
object network AMS-FOX-CAMERA
nat (inside,outside) static 71.81.16.141
!
nat (inside,outside) after-auto source dynamic AMS-INSIDE-SUBNET interface
access-group outside-acl in interface outside
access-group inside-acl in interface inside
route inside 10.10.10.0 255.255.255.0 10.10.40.1 128 track 10
route outside 0.0.0.0 0.0.0.0 x.x.x.29 1
route inside 10.10.1.0 255.255.255.0 10.10.40.1 1
route inside 10.44.22.0 255.255.255.0 10.10.40.1 1
route inside 10.44.24.0 255.255.255.0 10.10.40.1 1

Ken~

Oh... I didn't know you were

Tim Y — Fri, 13 May 2016 14:49:14 GMT

Oh... I didn't know you were trying to have both running and migrate over. Yeah as you say it is asymmetrical and you can't do that. Firewalls are stateful. If you connect to Exchange from the outside of the new ASA, the Exchange server will route out the other firewall as the network dictates. And since there is no state on this firewall, it will drop the traffic.

Now that the new ASA is correctly configured, you just have to cut over DNS and routing so that only the new ASA is used. If testing goes well then you're done. Otherwise you can just roll back.

Regards,

Tim

Hi Tim,

Ken C. Musk — Fri, 13 May 2016 15:04:35 GMT

Hi Tim,

I did make the cut last night after hours, but still was not able to get https://mail.mycompany.com to work. I guess I don't see how DNS has to change as nothing IP wise is changing..?

On my Gateway switch I just change the default route to point to the new "Inside" interface of the new ASA when I want to fully test.

I even went as far as changing my old ASA outside IP and put it on the new ASA outside IP address. I shut the outside interface down on the old ASA first to not have it overlap, but still didn't fix my issue.

Ken~

Hi Ken,

Tim Y — Fri, 13 May 2016 15:40:59 GMT

Hi Ken,

You had a different public IP address on the new ASA. mail.mycompany.com resolves to the IP address on the old ASA. So if you're using the new IP address, you need to update your external DNS record for mail.mycompany.com.

If you decide to transfer the IP address of the old ASA to the new ASA, then you may have to wait because your default gateway (the ISP) has an ARP entry cached for your old ASA. It thinks X.X.X.X belongs to old ASA MAC. Once that ARP entry times out and it ARP's again, then you would be back in business.

The ASA looks configured properly to me, but that's based on the context that I have. Every time you reply, I learn something new about the network topology. At this point, it's just a matter of analyzing the situation carefully and testing.

Regards,

Tim

Hi Tim,

Ken C. Musk — Fri, 13 May 2016 15:41:00 GMT

Hi Tim,

Forgive me for not understanding, but let me explain how this is setup.

The "Old" ASA has an outside IP of: x.x.x.133

The "New" ASA has an outside IP of: x.x.x.136

The "Exchange" has an outside IP of: x.x.x.131 and this has not changed from old ASA to new ASA.

I get the concept of arp cache needing to clear out, but the Exchange server IP has not changed, so why would the provider need to clear its arp cache out..?

Is it because the provider see's that its connected to .133 and knows to push .131 traffic there for mail?

I would LOVE, LOVE, LOVE if this were an arp cache issue. I can test this theory out on Sunday as events are going on this Sat. I will set it backup so the new ASA is working and wait to see if the arp cache clears out by Monday morning. If not, I can have someone there reboot the providers equipment.

I am not local so can't do it myself 😞

Thanks for sticking with me on this, learning way more than just reading books 🙂

Ken~

Hi,

Tim Y — Fri, 13 May 2016 16:10:07 GMT

Hi,

It's because of proxy ARP. Your Exchange public IP doesn't physically exist anywhere so something has to respond for it. That something is your ASA.

You wouldn't have this issue though if you used a different public IP for Exchange on the new ASA.

It's hard to say if that's the issue or just one of as I don't have full visibility however it's certainly something to keep in mind.

What I would suggest is taking a step back and validating everything step by step.

Please rate the useful posts so others can benefit as well.

Regards,

Tim

Ahh okay that makes sense to

Ken C. Musk — Fri, 13 May 2016 16:10:39 GMT

Ahh okay that makes sense to me now 🙂 Learning how everything is getting tied together.

I will let you know Sunday/Monday what happens.

The location in question is a 4.5hr drive for me and I am down there a few times a year when needed for on-site support. If not, we have remote tools setup to do most of the work. Will kick myself if its an arp issue as I was just there last week to test this at night, and could have rebooted the providers equipment then.

Again thank you for all the help.

Ken~

Hi Tim,

Ken C. Musk — Mon, 16 May 2016 12:58:19 GMT

Hi Tim,

I made the cut last night by changing my default route to point to the new inside ASA. Then shutdown the outside of the old ASA. Waited a few hours and boom! My https://mail.mycompany.com started to work.

I tried to get a hold of the provider to have them bounce their equipment, but the tech didn't want to, so I just waited for the arp cache the clear.

Thank you again for all the help 🙂

Ken~

Beautiful. You're welcome,

Tim Y — Mon, 16 May 2016 16:23:43 GMT

Beautiful. You're welcome, have a great week!

Regards,

Tim

Please rate useful posts and mark answers as correct.