Solved: Cisco ASA connecting to Office 365

BHconsultants88 · ‎09-09-2019

Hi everyone, I hope someone can help me out here. I have an IPSec tunnel set up between a Palo Alto and Cisco ASA. The tunnel is up and running and is passing LAN/WAN traffic.

So far so good.

On Thursday, the users on site were migrated to Office 365 and are today being prompted to activate their licence. The Cisco ASA is on the users site. The problem I'm having is that when they click on 'Activate' in Outlook, nothing happens. When they try to sign in to their account, it times out and says there are server issues.

I'd like some help in setting up an ACL as I think that's what I need. Happy to be corrected! :-)

Besides the ACL, is there anything else I'd need to get this working?

Many thanks in advance.

Francesco Molino · ‎09-09-2019

Hi

I don't see the relationship between your asa users and the L2L vpn.
Are your users on the zone named DATA?
If so, i maybe misread it because looking at it over my phone but you don't have an ace in your DATA_access_in allowing your subnets to access internet or Microsoft public subnets.
You need to had a statement like (at the end of your existing acl):
access-list DATA_access_in extended permit ip object BB-Data object-group Microsoft
--> you need to look at Microsoft website for the official public subnets to put in the new group I called Microsoft. Otherwise if you want to allow internet access, you can change the group by any.

As you can see I'm maybe talking about the wrong zone. Can you give us more details please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎09-09-2019

Hi

I don't see the relationship between your asa users and the L2L vpn.
Are your users on the zone named DATA?
If so, i maybe misread it because looking at it over my phone but you don't have an ace in your DATA_access_in allowing your subnets to access internet or Microsoft public subnets.
You need to had a statement like (at the end of your existing acl):
access-list DATA_access_in extended permit ip object BB-Data object-group Microsoft
--> you need to look at Microsoft website for the official public subnets to put in the new group I called Microsoft. Otherwise if you want to allow internet access, you can change the group by any.

As you can see I'm maybe talking about the wrong zone. Can you give us more details please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

BHconsultants88 · ‎09-10-2019

Hi Francesco

Thank you, that worked. For now, I've used 'any' but will lock this down once I have the list of subnets from Microsoft.

One other thing that's popped up today. Management networks on 10.0.0.0/8 cannot browse to 10.76.9.161, I get the 'Windows cannot access' message. Server and permissions have been checked and verified.

The ASA logs shows the following:

6|Sep 10 2019 12:06:20|302013: Built inbound TCP connection 1909631 for Outside:10.123.6.60/50252 (10.123.6.60/50252) to DATA:10.76.9.161/445 (10.76.9.161/445)
6|Sep 10 2019 12:06:20|302014: Teardown TCP connection 1909631 for Outside:10.123.6.60/50252 to DATA:10.76.9.161/445 duration 0:00:00 bytes 3228 TCP Reset-O

Would anyone know what the TCP Reset-O means please?

Francesco Molino · ‎09-16-2019

This tcp reset-o indicates that the server on the outside is resetting the connection.

Can you run a packet-tracer command with source IP and destination IP (including the source interface) and share the output please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question