ASA Configuration for Exchange Front End and Back End server

mohammed-amjad · ‎02-05-2011

Hi,

I have Cisco ASA and i have connected Exchange 2007 Edge Server in DMZ and Client Acces Server in Local Network. Can anyone please tell me how to configure the ASA for this?

Thanks,

andamani · ‎02-05-2011

Hi Mohammed,

So what how do you want the server to be seen as by the client? do you want the clients to access the server with original ip address of the server or a translated ip address?

Also what is the security level configured on the DMZ and the local network?

basically on the ASA you will need configure a nat for traffic to parse the different security level interfaces.

Regards,

Anisha

mohammed-amjad · ‎02-05-2011

Hi,

Please find the attachment of my ASA configuration. The client will access the server by translated ip address.

Thanks,

andamani · ‎02-05-2011

hi,

So i understand the topology would be:

Client -- (inside) ASA (DMZ) -- Server..

Please let me know the server ip address and the ip you want to translate it to.

Regards,

Anisha

mohammed-amjad · ‎02-05-2011

Hi,

Please have a look on the configuration of ASA is that configured properly or not.

Edge Transport Server (Frontend Server )IP is - 192.168.200.6 (Local IP) (this is server is in DMZ)

212.xx.xx.167 (Public IP)

Client Access Server (Backend Server) IP is - 172.20.16.5 (Local IP ) this server is in the local network.

Thanks,

m.kafka · ‎02-06-2011

Hi mohammed-amjad,

this looks very familiar to me, I recently had a quite similar case on one of our customers network. A couple of issues:

Your ASA software version is quite old (7.x), it might not support everything you need for a "waterproof" firewall configuration for MS-Exchg frontend on a dmz to exchange backend on the inside. For example the line "established tcp 135 0 permitto tcp 1024-65535 permitfrom tcp 0" shows me that dynamic inspection and pin-holing for negotiated connections over rpc is not supported on your version (that's dce-rpc on the default port).
I have observed that the frontend is using a lot of ports and protocols towards the inside including full active directory with dce-rpc to domain controllers, netbios session, rpc-over-ssl tunneling, smtp etc... so most likely your acl from dmz to inside must be extended. Which connections are actually needed depends on facts I don't know for sure, that's a Microsoft-Issue: I'ts very difficult to find out exactly which ports and protocols are needed between different Microsoft servers especially as these requirements differ from version to version.
The dce-rpc (distributed computing environment remote procedure call) can be quite challenging, in my case I will have to upgrade to 8.4.1 (look at the minimum RAM requirements!) to solve something called rpc with non-epm (no endpoint mapper), whatever that means in detail.

I cannot give you my config. because your situation might be totally different. We for example have 3 domain controllers on the inside with distributed functions, aditionally we have OWA which again needs some specific protocols (as far as I remember that's the rpc-over-ssl tunneling with some specific ports) and I'm not deep enough into the details of Microsoft to give you advice on what to configure, I'm glad that I have may situation a little bit under control.

At the moment (and I'm not happy with it) I have permitted quite generously tcp any from the frontend to the backend similar to your current "permit ip any any".

I'm afraid you need to be quite generous from dmz to inside in your situation.

Rgds,

MiKa