11-28-2006 02:47 AM - edited 03-11-2019 02:01 AM
Hello
We are replacing our ISA 2000 server with a Cisco ASA 5500 appliance. I have most of the config down (using ASDM as I'm not the most experienced user) but I'm not sure how to deal with Outlook Web Access. Currently users access this by typing in the external IP of the ISA server followed by /exchange/. Our current ASA config is
domain-name drum-opps.org.uk
enable password xxx
names
!
interface Ethernet0/0
description Opps WAN
nameif outside
security-level 0
ip address 212.240.x.x.255.255.248
!
interface Ethernet0/1
description Opps LAN
nameif Inside
security-level 100
ip address 172.19.1.250 255.255.0.0
!
interface Ethernet0/2
description Interface used by non Opps custs at Open Gate
nameif Non-Opps-Orgs
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
passwd xxx
banner login Opps ASA Firewall - unauthorised access prohibited
ftp mode passive
dns server-group DefaultDNS
domain-name drum-opps.org.uk
access-list Inside_nat0_outbound extended permit ip any 172.16.15.0 255.255.255.128
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu management 1500
mtu Non-Opps-Orgs 1500
ip local pool OppsVPNPool 172.16.15.1-172.16.15.100 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
monitor-interface outside
monitor-interface Inside
monitor-interface management
monitor-interface Non-Opps-Orgs
icmp deny any echo outside
asdm image disk0:/asdm512-k8.bin
asdm location 172.16.1.9 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Non-Opps-Orgs) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 212.240.128.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy OppsASA internal
group-policy OppsASA attributes
wins-server value 172.16.1.9
dns-server value 172.16.1.4 172.16.1.9
default-domain value drum-opps.org.uk
username xxx password xxxx encrypted privilege 15
username admin password RUBWZ.6lHKJbc.20 encrypted privilege 15
username mcleanp password S0AKCUWmxIwytSWt encrypted privilege 3
url-server (Inside) vendor websense host 172.16.1.6 timeout 30 protocol TCP version 1 connections 5
filter url http 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 172.16.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group OppsASA type ipsec-ra
tunnel-group OppsASA general-attributes
address-pool OppsVPNPool
default-group-policy OppsASA
tunnel-group OppsASA ipsec-attributes
pre-shared-key cybert00l
telnet 172.16.0.0 255.255.0.0 Inside
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.10-192.168.2.100 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
Any help would be greatly appreciated
Solved! Go to Solution.
11-28-2006 03:26 AM
Hi .. you can use the WebVPN feature to configure access to OWA ... please see the below link for information about it.
in the meantime you could allow access to your email server by creating a static translation and opening access to it on an access-list appplied to the outside interface i.e
static (inside,outside)
the above line assumes that the email server is behind the Inside interface, if it is not just change the 'inside' part accordingly.
access-list Outside-In extended permit tcp any host
access-list Outside-In extended permit tcp any host
access-group Outside-In in interface outside
the above lines allow access to your email server from the internet on ports 443 and 80.
I hope it helps .. please rate it if it does !!
11-28-2006 03:26 AM
Hi .. you can use the WebVPN feature to configure access to OWA ... please see the below link for information about it.
in the meantime you could allow access to your email server by creating a static translation and opening access to it on an access-list appplied to the outside interface i.e
static (inside,outside)
the above line assumes that the email server is behind the Inside interface, if it is not just change the 'inside' part accordingly.
access-list Outside-In extended permit tcp any host
access-list Outside-In extended permit tcp any host
access-group Outside-In in interface outside
the above lines allow access to your email server from the internet on ports 443 and 80.
I hope it helps .. please rate it if it does !!
11-29-2006 01:11 AM
Thanks for the reply Fernando. The second solution seems best but I can't implement it yet as the old ISA is still in service at the moment. I tried the WebVPN which seems to work well however I seem to be only able to make 2 concurrent connections so don't think this will be the best solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide