04-04-2013 09:05 AM - edited 03-11-2019 06:23 PM
Hi all.
I am having some trouble accessing some backup Email (Outlook Web Access) and Citrix servers located behind an ASA 5505 firewall at a remote datacentre. Simply put, when I go to the specific URL (e.g. https://citrixdr.xxx.co.uk) I do not arrive at the splash page, I just get a message saying that the server took too long to respond in the web browser. I'm wondering whether I have missed something on the configuraiton or the firewall itself is not letting my requests through.
The remote servers are located at a remote Disaster Recovery site and use the subnet 192.168.4.0/24. I am at head office which is connected to the DR site via a VPN using 192.168.1.0/24.
My running configuration is below, if anyone could have a browse through it it would be much appreciated.
LM-DR-ASA5505# show run
: Saved
:
ASA Version 8.2(5)
!
hostname xxx
domain-name xxx.local
enable password 9tc.bMMQOdcEzWlK encrypted
passwd zh5kKKD1zRf47kwr encrypted
names
name 216.82.240.0 MLT1
name 67.219.240.0 MLT2
name 85.158.136.0 MLT3
name 95.131.104.0 MLT4
name 46.226.48.0 MLT5
name 117.120.16.0 MLT6
name 193.109.254.0 MLT7
name 194.106.220.0 MLT8
name 195.245.230.0 MLT9
name 103.3.96.0 MLT10
name xxx.xxx.xxx.xxx citrixdr.xxx.co.uk
name xxx.xxx.xxx.xxx maildr.xxx.co.uk
name xxx.xxx.xxx.xxx webmaildr.xxx.co.uk
name 192.168.4.23 LON-EXCH-03
name 192.168.4.30 Citrix-Access-Gateway
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.4.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM-INLINE-SERVICE
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group network VPN-REMOTE
network-object 192.168.1.0 255.255.255.0
object-group protocol PROTOCOL-LIST
protocol-object ip
protocol-object icmp
protocol-object pim
protocol-object pcp
protocol-object snp
protocol-object udp
protocol-object igmp
protocol-object ipinip
protocol-object gre
protocol-object esp
protocol-object ah
protocol-object tcp
protocol-object eigrp
protocol-object ospf
protocol-object igrp
protocol-object nos
object-group service DM-INLINE-TCP-1 tcp
port-object eq https
port-object eq smtp
object-group service DM-INLINE-TCP-2 tcp
port-object eq www
port-object eq https
object-group network MESSAGE-LABS-TOWERS
network-object MLT1 255.255.240.0
network-object MLT2 255.255.240.0
network-object MLT3 255.255.248.0
network-object MLT4 255.255.248.0
network-object MLT5 255.255.248.0
network-object MLT6 255.255.248.0
network-object MLT7 255.255.254.0
network-object MLT8 255.255.254.0
network-object MLT9 255.255.254.0
network-object MLT10 255.255.252.0
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-access-in extended permit ip any any
access-list inside-access-in extended permit ip 192.168.4.0 255.255.255.0 any
access-list inside-access-in extended permit icmp any any
access-list outside-access-in extended permit object-group DM-INLINE-SERVICE any any
access-list outside-access-in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit tcp any host webmaildr.xxx.co.uk object-group DM-INLINE-TCP-2
access-list outside-access-in extended permit tcp any host maildr.xxx.co.uk object-group DM-INLINE-TCP-1
access-list outside-access-in extended permit tcp any host citrixdr.xxx.co.uk eq https
access-list outside-access-in extended permit tcp object-group MESSAGE-LABS-TOWERS host LON-EXCH-03 eq smtp
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside-1-cryptomap extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside-nat0-outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list testcap extended permit icmp host 192.168.1.11 host 192.168.4.1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside-nat0-outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp citrixdr.xxx.co.uk https Citrix-Access-Gateway https netmask 255.255.255.255
static (inside,outside) tcp maildr.xxx.co.uk smtp LON-EXCH-03 smtp netmask 255.255.255.255
static (inside,outside) tcp webmaildr.xxx.co.uk https LON-EXCH-03 https netmask 255.255.255.255
access-group inside-access-in in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 192.168.1.0 255.255.255.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xxx.xxx.xxx.xxx 255.255.255.255 outside
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-map 1 match address outside-1-cryptomap
crypto map outside-map 1 set peer xxx.xxx.xxx.xxx
crypto map outside-map 1 set transform-set ESP-3DES-SHA
crypto map outside-map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.4.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet xxx.xxx.xxx.xxx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.4.0 255.255.255.0 inside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxx password LUZB8j2zj03xvSeF encrypted
username xxx password RxEDmrZ7KCRzPu4T encrypted
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:61e54b16fb87f1e6fa3b8d520e87ddc0
: end
Solved! Go to Solution.
04-04-2013 09:14 AM
Hi,
I imagine that even though you have a L2L VPN configured between the sites, you are connecting to the remote servers through the Internet (without the VPN)?
- Jouni
04-04-2013 09:14 AM
Hi,
I imagine that even though you have a L2L VPN configured between the sites, you are connecting to the remote servers through the Internet (without the VPN)?
- Jouni
04-05-2013 02:24 AM
Hi Jouni, thanks for your response.
Turns out that the Citrix Access Gateway wasn't set up until yesterday evening and by then I had stopped trying for the day. It is now set up and external access is available.
Further to this, my colleague forgot to inform me of the change of I.P. address of the Exchange server. This meant that Webmail requests were pointing to an I.P. address that didn't exist.
I have reconfigured the firewall this morning and external access for Webmail is also working correctly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: