10-22-2013 03:52 AM - edited 03-11-2019 07:54 PM
Hi all,
I have managed to get smtp access (https://supportforums.cisco.com/thread/2246317)
I have mail routing in through port 25, how can I configure OWA access through https?
We are using a 2013 Exchange server and I wish for users to connect to the server without having to turn on the VPN. Appreciate all the help I can get.
Cheers
Nick
10-22-2013 04:12 AM
Hi,
Did you have an extra public IP address for this or did you need to use your interface IP address? I guess it was the interface IP address?
The other discussion seemed to use Manual NAT configuration format to achieve the Static PAT (Port Forward) configuration. I would personally use Auto NAT
The problem with TCP/443 port forwarding and using the "interface" IP address is that your ASDM and SSL VPN also uses that port. Creating the Static PAT using the interface IP address would then probably cause problems. There is option to change both the ASDM and SSL VPN port on the ASA but this naturally causes some inconvinience since it doesnt use the default port anymore.
The usual configuration format for Static PAT would be
object network OWA-HTTPS
host
nat (inside,outside) static interface service tcp 443 443
Hope this helps
- Jouni
10-22-2013 05:18 AM
Hi Jouni,
Thanks for the fast reply, I don't have an extra IP address at this stage, I would prefer to use the interface IP address (provided by the ISP) for the time being until we can get another IP. I will def look at changing over to Auto NAT for a better solution to the other discussion.
I assumed that I would have to change the default ASDM and SSL VPN port on the ASA, how can this be achieved in ASDM?
Also what port is best practice to change this to if I do go down that path??
Thanks again for your help
Nick
10-22-2013 05:34 AM
Hi,
I am not sure how you currently manage your firewall. Do you perhaps do it from the public network also or only from the LAN? If you are doing it remotely then I would suggest that you first confirm that you have SSH connectivity to the ASA incase there is any problems when doing these changes so that you dont cut yourself off from any type of management connection.
The ASDM port used can be set in the command you already have active on the ASA.
http server enable
You probably only have "http server enable" at the moment. You can simply specify the used port after the command to change the port.
You can use the following command to view on what ports the ASA is listening on.
show asp table socket
I have not changed the ASDM port from ASDM itself. I would imagine that you might be able to change it through there but I would also guess that the connection to the ASA will be cut after that and you will have to form the new connection with using the IP address and port in the field when logging on with the ASDM
For example enter to the ASDM log in window
1.1.1.1:4443
Where the 4443 would be the new port to which you connect instead of the default 443
I am not really sure if there is a good practise for choosing the port. I guess it would be avoiding the most typical ones. On the other hand its about convinience since you now have to mention the port when connection to the device either with ASDM or SSL VPN.
You can find the section to change the ASDM port from Configuration -> Device Management -> Management Access -> ASDM/HTTPS/Telnet/SSH and the view that opens will have the section for the port used.
I think regarding the SSL VPN Client/Clientless the port can be changed from
Configuration -> Remote Access VPN -> Network (Client) Access -> AnyConnect Connection Profiles -> Port Settings -button
OR
Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles -> Port Settings -button
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide