cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4176
Views
0
Helpful
2
Replies

Publishing OWA through ASA 5500

Rex Biesty
Level 1
Level 1

Hello

We are replacing our ISA 2000 server with a Cisco ASA 5500 appliance. I have most of the config down (using ASDM as I'm not the most experienced user) but I'm not sure how to deal with Outlook Web Access. Currently users access this by typing in the external IP of the ISA server followed by /exchange/. Our current ASA config is

domain-name drum-opps.org.uk

enable password xxx

names

!

interface Ethernet0/0

description Opps WAN

nameif outside

security-level 0

ip address 212.240.x.x.255.255.248

!

interface Ethernet0/1

description Opps LAN

nameif Inside

security-level 100

ip address 172.19.1.250 255.255.0.0

!

interface Ethernet0/2

description Interface used by non Opps custs at Open Gate

nameif Non-Opps-Orgs

security-level 100

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.100.1 255.255.255.0

management-only

!

passwd xxx

banner login Opps ASA Firewall - unauthorised access prohibited

ftp mode passive

dns server-group DefaultDNS

domain-name drum-opps.org.uk

access-list Inside_nat0_outbound extended permit ip any 172.16.15.0 255.255.255.128

pager lines 24

logging enable

logging timestamp

logging asdm informational

mtu outside 1500

mtu Inside 1500

mtu management 1500

mtu Non-Opps-Orgs 1500

ip local pool OppsVPNPool 172.16.15.1-172.16.15.100 mask 255.255.0.0

ip verify reverse-path interface outside

no failover

monitor-interface outside

monitor-interface Inside

monitor-interface management

monitor-interface Non-Opps-Orgs

icmp deny any echo outside

asdm image disk0:/asdm512-k8.bin

asdm location 172.16.1.9 255.255.255.255 Inside

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 10 0.0.0.0 0.0.0.0

nat (Non-Opps-Orgs) 10 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 212.240.128.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy OppsASA internal

group-policy OppsASA attributes

wins-server value 172.16.1.9

dns-server value 172.16.1.4 172.16.1.9

default-domain value drum-opps.org.uk

username xxx password xxxx encrypted privilege 15

username admin password RUBWZ.6lHKJbc.20 encrypted privilege 15

username mcleanp password S0AKCUWmxIwytSWt encrypted privilege 3

url-server (Inside) vendor websense host 172.16.1.6 timeout 30 protocol TCP version 1 connections 5

filter url http 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 172.16.0.0 255.255.0.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group OppsASA type ipsec-ra

tunnel-group OppsASA general-attributes

address-pool OppsVPNPool

default-group-policy OppsASA

tunnel-group OppsASA ipsec-attributes

pre-shared-key cybert00l

telnet 172.16.0.0 255.255.0.0 Inside

telnet timeout 5

ssh 172.16.0.0 255.255.0.0 Inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.2.10-192.168.2.100 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

Any help would be greatly appreciated

1 Accepted Solution

Accepted Solutions

Fernando_Meza
Level 7
Level 7

Hi .. you can use the WebVPN feature to configure access to OWA ... please see the below link for information about it.

http://cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080334071.html#wp1002608

in the meantime you could allow access to your email server by creating a static translation and opening access to it on an access-list appplied to the outside interface i.e

static (inside,outside) netmask 255.255.255.255

the above line assumes that the email server is behind the Inside interface, if it is not just change the 'inside' part accordingly.

access-list Outside-In extended permit tcp any host eq 443

access-list Outside-In extended permit tcp any host eq 80

access-group Outside-In in interface outside

the above lines allow access to your email server from the internet on ports 443 and 80.

I hope it helps .. please rate it if it does !!

View solution in original post

2 Replies 2

Fernando_Meza
Level 7
Level 7

Hi .. you can use the WebVPN feature to configure access to OWA ... please see the below link for information about it.

http://cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080334071.html#wp1002608

in the meantime you could allow access to your email server by creating a static translation and opening access to it on an access-list appplied to the outside interface i.e

static (inside,outside) netmask 255.255.255.255

the above line assumes that the email server is behind the Inside interface, if it is not just change the 'inside' part accordingly.

access-list Outside-In extended permit tcp any host eq 443

access-list Outside-In extended permit tcp any host eq 80

access-group Outside-In in interface outside

the above lines allow access to your email server from the internet on ports 443 and 80.

I hope it helps .. please rate it if it does !!

Thanks for the reply Fernando. The second solution seems best but I can't implement it yet as the old ISA is still in service at the moment. I tried the WebVPN which seems to work well however I seem to be only able to make 2 concurrent connections so don't think this will be the best solution.

Review Cisco Networking for a $25 gift card