topic Re: Outlook web access over pix firewall in Network Security

Outlook web access over pix firewall

jeric_saldua — Fri, 21 Feb 2020 08:10:41 GMT

Hi Firewall Guru,

Anybody here can help me to set-up my cisco firewall to work for external outlook web access.I have changed some parameters and make it run internally.. however I can not access it externally.

This means, when I open outlook web access on our lan it works, but when I try to open it via internet ISP I can't open it.. "page can not be found"

Pls advice how did you resolved it thru pix firewall configuration if any of you encountered the same.

Any help is greatly appreciated.

Best Regards,

Jeric

Re: Outlook web access over pix firewall

froggy3132000 — Sun, 29 May 2005 00:16:45 GMT

post your config

Re: Outlook web access over pix firewall

jeric_saldua — Sun, 29 May 2005 02:00:12 GMT

Hi,

pls find attached files.. hope you can help me on this.. right now.. i dont have problem on my internet, everything is ok.. mail server is ok.. when I access outlook web access internally no problem as well, my only problem is I can not open it outside our network.. but i can ping it from the outside.. which means the public ip address for my mail server is reachable from the outside.

hope you can help me on this.

regards,

jeric

Re: Outlook web access over pix firewall

a.alekseev — Sun, 29 May 2005 03:06:01 GMT

pls add the following

access-list ACL_OUT permit tcp any host 2xx.1xx.xxx.xx6 eq 443

ip address outside 2xx.1xx.xxx.xx6 255.255.255.252

static (inside,outside) tcp interface 443 192.168.1.4 443 netmask 255.255.255.255 0 0

access-group ACL_OUT in interface outside

Re: Outlook web access over pix firewall

jeric_saldua — Mon, 30 May 2005 02:35:20 GMT

Hi,

thanks so much for your prompt response..I follow your suggested changes and tested it.. however it still not working..

pls check the config below.

names

name 192.168.1.4 inside_mail_server

access-list 101 permit ip 192.168.1.80 255.255.255.240 any

access-list 101 permit ip any 192.168.1.80 255.255.255.240

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq smtp

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq pop3

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq https

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq www

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq 135

access-list ACL_OUT deny udp any any eq 1214

access-list ACL_OUT deny tcp any any eq 5000

access-list ACL_OUT deny tcp any any eq 11999

access-list ACL_OUT deny udp any any eq 5010

access-list ACL_OUT deny tcp any any eq 1214

access-list ACL_OUT deny tcp any any eq 1863

access-list outside_cryptomap_dyn_30 permit ip any 192.168.1.80 255.255.255.240

pager lines 24

ip address outside 2xx.1xx.1xx.2xx 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL 192.168.1.81-192.168.1.94

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp inside_mail_server smtp netmask 255.2

55.255.255 0 0

static (inside,outside) tcp interface pop3 inside_mail_server pop3 netmask 255.2

55.255.255 0 0

static (inside,outside) tcp interface https inside_mail_server https netmask 255

.255.255.255 0 0

access-group ACL_OUT in interface outside

Hope you could guide on how to resolve it.. additional information. I use 1 ip address only for outside xlation at the same time am using it for static mapping for my mail server inside.

I will look forward for your kind response.

Thank you so much.

Jeric

Re: Outlook web access over pix firewall

a.alekseev — Mon, 30 May 2005 03:48:42 GMT

Did you try "clear xlate" after making some changes?

Re: Outlook web access over pix firewall

jeric_saldua — Mon, 30 May 2005 04:12:00 GMT

Hi,

I did. but still page can not be displayed.

Thanks,

jeric

Re: Outlook web access over pix firewall

a.alekseev — Mon, 30 May 2005 04:29:48 GMT

How did you check it?

Re: Outlook web access over pix firewall

jeric_saldua — Mon, 30 May 2005 05:17:17 GMT

Hi,

My collegue is working at home and he is the one who is testing it. he test it by doing this > open internet explorer and on the address bar he type http:2xx.1xx.xxx.xx6/exchange (ip address for outlook web access). "page can not be displayed" . But he can ping the ip address.

Thanks for your kind assistance, I really appreciate your help.

Regards,

Jeric

Re: Outlook web access over pix firewall

a.alekseev — Mon, 30 May 2005 06:41:36 GMT

use HTTPS

https://2xx.1xx.xxx.xx6/exchange

Re: Outlook web access over pix firewall

jeric_saldua — Mon, 30 May 2005 07:18:28 GMT

Hi,

thanks again for your prompt response.. I just try it but to no avail. same error...

regards

jeric

Re: Outlook web access over pix firewall

a.alekseev — Mon, 30 May 2005 07:39:15 GMT

could you show

"sh access-list ACL_OUT"

do you see any macthes for "access-list ACL_OUT permit tcp any host 2xx.1xx.xxx.xx6 eq https"?

Re: Outlook web access over pix firewall

jeric_saldua — Mon, 30 May 2005 08:30:27 GMT

Hi,

There's matches, but I think the matches came from internal users who access it on our LAN.

pls check below.

Firewall# sh access-list ACL_OUT

access-list ACL_OUT; 11 elements

access-list ACL_OUT line 1 permit tcp any host 2xx.1xx.xxx.xx6 eq smtp (hitcnt=4

71)

access-list ACL_OUT line 2 permit tcp any host 2xx.1xx.xxx.xx6 eq pop3 (hitcnt=0

)

access-list ACL_OUT line 3 permit tcp any host 2xx.1xx.xxx.xx6 eq https (hitcnt=

19)

access-list ACL_OUT line 4 permit tcp any host 2xx.1xx.xxx.xx6 eq www (hitcnt=0)

access-list ACL_OUT line 5 permit tcp any host 2xx.1xx.xxx.xx6 eq 135 (hitcnt=0)

access-list ACL_OUT line 6 deny udp any any eq 1214 (hitcnt=0)

access-list ACL_OUT line 7 deny tcp any any eq 5000 (hitcnt=0)

access-list ACL_OUT line 8 deny tcp any any eq 11999 (hitcnt=0)

access-list ACL_OUT line 9 deny udp any any eq 5010 (hitcnt=0)

access-list ACL_OUT line 10 deny tcp any any eq 1214 (hitcnt=0)

access-list ACL_OUT line 11 deny tcp any any eq 1863 (hitcnt=0)

thanks

Re: Outlook web access over pix firewall

a.alekseev — Mon, 30 May 2005 09:15:22 GMT

on 192.168.1.4 could you show

"ipconfig /all"

Re: Outlook web access over pix firewall

jmia — Tue, 31 May 2005 06:36:37 GMT

Jeric,

Q. On your internal exchange server have you created a CA (Certificate Authority) for SSL authentication? As traffic is reaching your outside interface of pix for port 443.

And I presume you have the apporiate static translation setup for this traffic?

Jay

Re: Outlook web access over pix firewall

jeric_saldua — Tue, 31 May 2005 11:59:55 GMT

Hi Jay,

thanks so much for participating on this conversation. in response to your querry, yes... I already created a CA for SSL authentication. just wondering why it is not working.. internally its ok the Outlook web access is working.. however those external user can not access it.. I have a good static translation created for my mail server and the public ip address i used is pingable over the internet..

I try to figure this out by checking microsoft website what else ports needed to be open.. but to date still couldnt find it.

any help on resolving this is greately appreciated.

Best Regards,

Jeric

Re: Outlook web access over pix firewall

jmia — Tue, 31 May 2005 12:05:59 GMT

Jeric,

OK, can you post to me your full pix config (take out any sensitive info), either here or to: jmia@ohgroup.co.uk

I'll take a closer look at it for you, I only deployed OWA for a customer of mine only last week using SSL via pix on port 443 and it is working fine.

Jay

Re: Outlook web access over pix firewall

jeric_saldua — Tue, 31 May 2005 14:10:00 GMT

Hi Jay,

pls find below config for your kind review.

hope you could help me resolve it.. i also send you a copy thru email.

looking forward to hear from you.

thanks,

jeric

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname InternetDoor

domain-name myCompany

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx1 eq smtp

access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx1 eq pop3

access-list 101 permit ip 172.xxx.1.0 255.255.255.0 172.xxx.2.0 255.255.255.0

access-list Vpn_mapping permit ip any 172.xxx.2.0 255.255.255.128

pager lines 24

logging timestamp

ip address outside XXX.XXX.XXX.XXX 255.255.255.252

ip address inside 172.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL XXX.XXX.XX.X-XXX.XXX.XX.X

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.4 pop3 netmask 255.255.255.255 0 0

access-group OUTGOING in interface outside

route outside 0.0.0.0 0.0.0.0 203.125.100.245 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server mycompany protocol radius

aaa-server mycompany (inside) host 1xx.xxx.xxx.xxx mycompany timeout 10

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

auth-prompt accept Welcome to my world !!

crypto ipsec transform-set MYSET esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP 10 set transform-set MYSET

crypto dynamic-map DYNMAP 30 match address Vpn_mapping

crypto dynamic-map DYNMAP 30 set transform-set ESP-3DES-MD5

crypto map MYMAP 10 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP client configuration address initiate

crypto map MYMAP client configuration address respond

crypto map MYMAP client authentication mycompany

crypto map MYMAP interface outside

isakmp enable outside

isakmp key ******** address 172.xxx.x.x netmask 255.255.255.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup mycompany_VPN address-pool VPN_POOL

vpngroup mycompany_VPN dns-server 1xx.xxx.xxx.xxx xxx.xxx.xxx.xxx

vpngroup mycompany_VPN default-domain myCompany.com

vpngroup mycompany_VPN split-tunnel 101

vpngroup mycompany_VPN idle-time 1800

vpngroup mycompany_VPN password ********

ssh timeout 5

console timeout 0

username xxx password xxxx

privilege 15

terminal width 80

Cryptochecksum:xxxxx

: end

Re: Outlook web access over pix firewall

a.alekseev — Tue, 31 May 2005 16:42:13 GMT

sorry, but i really do not understand you.

Where are the commands I asked you to add to configuration?

access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx6 eq 443

ip address outside 2xx.1xx.xxx.xx6 255.255.255.252

static (inside,outside) tcp interface 443 192.168.1.4 443 netmask 255.255.255.255 0 0

access-group OUTGOING in interface outside

Re: Outlook web access over pix firewall

jeric_saldua — Tue, 31 May 2005 21:44:53 GMT

Hi,

My apology I post the old config, Its already "in" after you ask me to put it in.

I intentionally put the old config so you can take a look on it to verify what else is missing.

But each entry you asked me to key in is already there. yet it is still not working.

hope you could help me find ways on fixing it..

thanks again for your help I really appreciate it.

Regards,

Jeric