Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
6
Replies

Cisco ASA 5512-x, problem with incoming traffic to Exchange server and access to https:/xxx.xxx/owa

1awarpool
Level 1
Level 1

‎05-14-2015 06:41 AM - edited ‎03-11-2019 10:56 PM

Recently I installed a Cisco ASA 5512-X, and have successfully set it up for traffic to the outside, and traffic going out from the Exchange server is fine.  But incoming traffic and access to the OWA web portal, I cannot get configured so that it will work properly.  Any assistance would be greatly appreciated.  Not sure where I have missed the correct setting to allow the traffic.

 

: Hardware:   ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.2(3)4 
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.163 255.255.255.248 
!
interface GigabitEthernet0/1
 description Inside IP's
 nameif Inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 ipv6 enable
 dhcprelay information trusted
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 description Client WiFi
 nameif Client
 security-level 0
 ip address 172.16.0.1 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 dhcprelay information trusted
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 192.168.0.8
 name-server 192.168.0.144
 domain-name xxx.xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ClientGateway
 host 172.16.0.1
 description ClientGateway
object network EmpGateway
 host 192.168.0.1
 description EmpGateway
object network xxxxx-VPN-IPs
 range 192.168.0.235 192.168.0.254
 description xxxxx-VPN-IPs
object network obj-172.16.0.0
 subnet 172.16.0.0 255.255.255.0
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0
object network Exchange-Int
 host 192.168.0.16
access-list outside_access_in extended permit tcp any object Exchange-Int eq https 
pager lines 24
logging enable
logging asdm informational
logging recipient-address xxxxxx@xxxxxx.org level critical
mtu Outside 1500
mtu Inside 1500
mtu Client 1500
mtu management 1500
ip verify reverse-path interface Inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-741.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,Outside) source dynamic ClientGateway interface
nat (any,Outside) source dynamic EmpGateway interface
nat (Client,Outside) source dynamic obj-172.16.0.0 interface
nat (Inside,Outside) source dynamic obj-192.168.0.0 interface
nat (any,Outside) source dynamic any interface
!
object network Exchange-Int
 nat (Inside,Outside) static interface service tcp https https 
!
nat (management,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 209.50.114.166 1
route Outside 192.168.0.0 255.255.255.0 209.50.114.166 1
route Outside xxx.xxx.xxx.160 255.255.255.248 xxx.xxx.xxx.166 1
route Inside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.164 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server xxxx protocol ldap
aaa-server xxxx (Inside) host 192.168.0.8
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.9
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.15
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.16
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.17
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.130
 server-type auto-detect
aaa-server xxxx (Inside) host 192.168.0.144
 server-type auto-detect
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint Exchange
 enrollment terminal
 keypair Exchange
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 keypair Exchange
 crl configure
crypto ca trustpool policy
crypto ca server 
 shutdown
 keysize 2048
 keysize server 2048
 smtp from-address xxxxx@xxxxx.org
crypto ca certificate chain ASDM_TrustPoint0
 certificate 048dada87796c4
    308205ad 30820495 a0030201 02020704 8dada877 96c4300d 06092a86 4886f70d 
    01010b05 003081b4 310b3009 06035504 06130255 53311030 0e060355 04081307 
    4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018 
    06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 312d302b 06035504 
    0b132468 7474703a 2f2f6365 7274732e 676f6461 6464792e 636f6d2f 7265706f 
    7369746f 72792f31 33303106 03550403 132a476f 20446164 64792053 65637572 
    65204365 72746966 69636174 65204175 74686f72 69747920 2d204732 301e170d 
    31343035 32373137 33383134 5a170d31 35303730 37323034 3335365a 30453121 
    301f0603 55040b13 18446f6d 61696e20 436f6e74 726f6c20 56616c69 64617465 
    64312030 1e060355 04031317 6d61696c 2e6e6173 6876696c 6c656361 7265732e 
    6f726730 82012230 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 
    82010100 c89353e0 a6e285f2 ae21dbe6 e038bfbd 0a2e6e05 1e157419 b995b5e4 
    c3c77496 dda2adfe c15c507b 5b11a7bd e20a215b bd7f6d42 f7e6b436 88d82cd6 
    2a0e0185 06569d86 7456d15b 0b6bec6d 71cd58bb 227a5aa4 7bf7ce0e 6e9fc90e 
    c04f183c a910b2ba 26be014d 141ea9cd 9ff05b70 86079b62 5bfc2790 24522e35 
    c3196ba8 86029121 fbba5312 685d4d4d e97f7201 6e7e989d 961bc60c 6a5ac576 
    186af6ad 2fc7ba6a 431620e0 9ca33681 c9f5bd2f 03659421 bb79d546 7cd805dc 
    d062f1c1 694ceba4 b725c631 69a1cab9 3f524b8d 8014503b de8b7c20 fdbc08b1 
    f60fca3b 647054b5 504df86b f9627784 5c847858 b6c18502 04c099ed 9879ca16 
    50d0a41f 02030100 01a38202 30308202 2c300c06 03551d13 0101ff04 02300030 
    1d060355 1d250416 30140608 2b060105 05070301 06082b06 01050507 0302300e 
    0603551d 0f0101ff 04040302 05a03036 0603551d 1f042f30 2d302ba0 29a02786 
    25687474 703a2f2f 63726c2e 676f6461 6464792e 636f6d2f 67646967 3273312d 
    36362e63 726c3053 0603551d 20044c30 4a304806 0b608648 0186fd6d 01071701 
    30393037 06082b06 01050507 0201162b 68747470 3a2f2f63 65727469 66696361 
    7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f 72792f30 7606082b 
    06010505 07010104 6a306830 2406082b 06010505 07300186 18687474 703a2f2f 
    6f637370 2e676f64 61646479 2e636f6d 2f304006 082b0601 05050730 02863468 
    7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63 6f6d2f72 
    65706f73 69746f72 792f6764 6967322e 63727430 1f060355 1d230418 30168014 
    40c2bd27 8ecc3483 30a233d7 fb6cb3f0 b42c80ce 3081a706 03551d11 04819f30 
    819c8217 6d61696c 2e6e6173 6876696c 6c656361 7265732e 6f726782 1b777777 
    2e6d6169 6c2e6e61 73687669 6c6c6563 61726573 2e6f7267 821f6175 746f6469 
  quit
crypto ikev1 enable Outside
crypto ikev1 enable Inside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 192.168.0.144 Inside
dhcprelay enable Outside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
smtp-server 192.168.0.16
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:242a0ffb5b165b6ba5b3e0a5ae2e7d1e
: end
asdm image disk0:/asdm-741.bin
asdm history enable
Labels:
0 Helpful
6 Replies 6

deyster94
Level 5
Level 5

‎05-14-2015 08:18 AM

Do you have another public IP address to use other than the interface IP?  That may clear up your issue.  

0 Helpful

1awarpool
Level 1
Level 1
In response to deyster94

‎05-14-2015 08:30 AM

I have a block of IP's from ISP xxx.xxx.xxx.160-167, the outside interface is set to xxx.xxx.xxx.163, and the routing should be set to xxx.xxx.xxx.166.

0 Helpful

deyster94
Level 5
Level 5
In response to 1awarpool

‎05-14-2015 08:33 AM

Since you have other public IP's available, I would use one of those instead of the interface IP address.  

0 Helpful

1awarpool
Level 1
Level 1
In response to deyster94

‎05-14-2015 08:46 AM

Firewall setup is still very new to me, Not clear on how to get the External traffic linked to internal IP though.  

0 Helpful

deyster94
Level 5
Level 5
In response to 1awarpool

‎05-14-2015 08:51 AM

Change this nat statement:

 

object network Exchange-Int nat (Inside,Outside) static interface service tcp https https

To:

object network Exchange-Int nat (Inside,Outside) static xxx.xxx.xxx.164

 

If you do a one-to-one nat, you don't need to do PAT in the nat statement.  If you have a DNS A record assigned to the .163, you will need to change that to reflect the new IP address.

0 Helpful

1awarpool
Level 1
Level 1
In response to deyster94

‎05-14-2015 08:32 AM

There is a layer 3 switch from ISP, that I think is doing routing, using xxx.xxx.xxx.165 for exchange traffic, but not sure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card