Hi Tim,

I added what you suggested and think that may work.  I am not able to test until after hours, so will test again tonight.

Yeah I do have a route back to my inside network.  I am able to get everything working, just not OWA, but learning a lot on how to configure an ASA especially the new NAT way.

Thanks,

Ken~

Hi Ken,

Let me know how the testing goes. Make certain to remove any previous NAT's for the Exchange server that might overlap as they can conflict and possibly prevent the new NAT you added from working.

Regards,

Tim

Please don't forget to rate useful posts and mark answers as correct

Hi Tim,

Still doesn't work, but I am getting hits on my nat rule now:

(inside) to (outside) source static AMS-EXCHANGE EXCHANGE-EXTERNAL-IP
translate_hits = 93, untranslate_hits = 0

Where as before I wasn't even getting that.  I am thinking it could be one of the following now:

I need to add our certificate to the new ASA

or

Something in our barracuda spam filter needs to change, but really don't think so as the IP address is not changing.

I am not changing anything on the Exchange Server, just replacing the ASA.  Our old ASA is running the old 8.2 code, so I was not able to just copy it over.

I will have to explore more tomorrow, but happy I was able to get this far with your help :)

Ken~

Hi Tim,

Uhh sorry didn't mean this was the correct answer and no clue how to undo it. :(

My old ASA which is still in production is on the old code, while the new ASA I am trying to get into production is on the new 9.1 code. 

After I made the change yesterday I started getting users saying email was slow when accessing from "Outside" my network, mainly on mobile devices.  As soon as I shut the port down on the new ASA the problem went away.  Thinking because I as asymmetrical routing going on since both ASA's were up and hosting the same Exchange IP.  The new and old ASA have different outside IP address.  This way I can have both up next to each other as I migrate over.  When I do my testing at night, I just change my default route on my Gateway switch to point to the new ASA.

Below is my current config now:

hostname AMS-ASA-5516
domain-name ams.int
enable password ml/91DiSZjZ9eqWz encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ml/91DiSZjZ9eqWz encrypted
names
ip local pool AMS-VPN-POOL 10.10.4.1-10.10.4.200 mask 255.255.255.0
ip local pool AMS-TEST-VPN-POOL 172.16.1.1-172.16.1.50 mask 255.255.255.0
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.33 255.x.x.x
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.41.188 255.255.252.0
!
interface GigabitEthernet1/3
description Gift-Store-VLAN
nameif VLAN110
security-level 50
ip address 10.110.110.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.40.23
name-server 10.10.40.24
name-server 8.8.8.8
domain-name ams.int
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network AMS-FOX-CAMERA
host 10.10.40.44
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.255.0
object network AMS-INSIDE-SUBNET
subnet 10.10.40.0 255.255.252.0
object network AMS-VPN-HOSTS
subnet 10.10.4.0 255.255.255.0
object network AMS-TEST-VPN-HOSTS
subnet 172.16.1.0 255.255.255.0
object network VLAN110
subnet 10.110.110.0 255.255.255.0
object network EXCHANGE-EXTERNAL-IP
host x.x.x.31
object network AMS-EXCHANGE
host 10.10.40.4
object-group network TIX_SERVERS
network-object host 10.10.40.21
network-object host 10.10.40.22
network-object host 10.10.40.25
object-group service EXCHANGE-PORTS
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq smtp
service-object tcp destination eq pop3
service-object tcp destination eq 102
service-object tcp destination eq 103
service-object tcp destination eq 5993
service-object tcp destination eq 8001

****Pretty sure this is not needed, but I added just to see****
access-list outside-acl extended permit object-group EXCHANGE-PORTS any object EXCHANGE-EXTERNAL-IP

****This is what you had me add****
access-list outside-acl extended permit object-group EXCHANGE-PORTS any object AMS-EXCHANGE

access-list outside-acl extended permit icmp any any echo-reply
access-list outside-acl extended permit icmp any any time-exceeded
access-list outside-acl extended permit icmp any any unreachable
access-list outside-acl extended permit ip 10.11.11.0 255.255.255.0 object-group TIX_SERVERS
access-list outside-acl extended permit ip 10.10.4.0 255.255.255.0 any
access-list outside-acl extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside-acl extended permit tcp any host x.x.x.141 eq 8001
access-list inside-acl extended permit tcp host 10.10.40.5 any eq smtp
access-list inside-acl extended permit ip any any
access-list inside-acl extended permit tcp any any eq 69
access-list inside-acl extended permit ip 10.10.40.0 255.255.252.0 interface outside
access-list inside-acl extended permit tcp any any eq https
access-list inside-acl extended permit ip 172.16.1.0 255.255.255.0 10.10.40.0 255.255.252.0

access-list AMS-SPLIT-TUNNEL standard permit 10.10.40.0 255.255.252.0
access-list AMS-SPLIT-TUNNEL standard permit 10.44.22.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 10.44.24.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 216.27.79.0 255.255.255.0
access-list AMS-SPLIT-TUNNEL standard permit 172.16.1.0 255.255.255.0

pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm errors
logging queue 0
mtu outside 1500
mtu inside 1500
mtu VLAN110 1500
ip audit info action drop
ip audit attack action reset
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
icmp permit any echo-reply outside
icmp permit any unreachable inside
icmp permit any echo inside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

nat (VLAN110,outside) source dynamic VLAN110 interface

nat (inside,outside) source static AMS-INSIDE-SUBNET AMS-INSIDE-SUBNET destination static AMS-VPN-HOSTS AMS-VPN-HOSTS no-proxy-arp route-lookup

nat (inside,outside) source static AMS-INSIDE-SUBNET AMS-INSIDE-SUBNET destination static AMS-TEST-VPN-HOSTS AMS-TEST-VPN-HOSTS no-proxy-arp route-lookup

nat (inside,outside) source static AMS-EXCHANGE EXCHANGE-EXTERNAL-IP
!
object network AMS-FOX-CAMERA
nat (inside,outside) static 71.81.16.141
!
nat (inside,outside) after-auto source dynamic AMS-INSIDE-SUBNET interface
access-group outside-acl in interface outside
access-group inside-acl in interface inside
route inside 10.10.10.0 255.255.255.0 10.10.40.1 128 track 10
route outside 0.0.0.0 0.0.0.0 x.x.x.29 1
route inside 10.10.1.0 255.255.255.0 10.10.40.1 1
route inside 10.44.22.0 255.255.255.0 10.10.40.1 1
route inside 10.44.24.0 255.255.255.0 10.10.40.1 1

Ken~

Oh... I didn't know you were trying to have both running and migrate over. Yeah as you say it is asymmetrical and you can't do that. Firewalls are stateful. If you connect to Exchange from the outside of the new ASA, the Exchange server will route out the other firewall as the network dictates. And since there is no state on this firewall, it will drop the traffic.

Now that the new ASA is correctly configured, you just have to cut over DNS and routing so that only the new ASA is used. If testing goes well then you're done. Otherwise you can just roll back. 

Regards,

Tim

Hi Tim,

I did make the cut last night after hours, but still was not able to get https://mail.mycompany.com to work.  I guess I don't see how DNS has to change as nothing IP wise is changing..?

On my Gateway switch I just change the default route to point to the new "Inside" interface of the new ASA when I want to fully test.

I even went as far as changing my old ASA outside IP and put it on the new ASA outside IP address.  I shut the outside interface down on the old ASA first to not have it overlap, but still didn't fix my issue.

Ken~

Hi Ken,

You had a different public IP address on the new ASA. mail.mycompany.com resolves to the IP address on the old ASA. So if you're using the new IP address, you need to update your external DNS record for mail.mycompany.com.

If you decide to transfer the IP address of the old ASA to the new ASA, then you may have to wait because your default gateway (the ISP) has an ARP entry cached for your old ASA. It thinks X.X.X.X belongs to old ASA MAC. Once that ARP entry times out and it ARP's again, then you would be back in business.

The ASA looks configured properly to me, but that's based on the context that I have. Every time you reply, I learn something new about the network topology. At this point, it's just a matter of analyzing the situation carefully and testing.

Regards,

Tim

Hi Tim,

Forgive me for not understanding, but let me explain how this is setup.

The "Old" ASA has an outside IP of: x.x.x.133

The "New" ASA has an outside IP of: x.x.x.136

The "Exchange" has an outside IP of: x.x.x.131 and this has not changed from old ASA to new ASA.

I get the concept of arp cache needing to clear out, but the Exchange server IP has not changed, so why would the provider need to clear its arp cache out..?

Is it because the provider see's that its connected to .133 and knows to push .131 traffic there for mail?

I would LOVE, LOVE, LOVE if this were an arp cache issue.  I can test this theory out on Sunday as events are going on this Sat.  I will set it backup so the new ASA is working and wait to see if the arp cache clears out by Monday morning.  If not, I can have someone there reboot the providers equipment.

I am not local so can't do it myself :(

Thanks for sticking with me on this, learning way more than just reading books :)

Ken~

Ahh okay that makes sense to me now :)  Learning how everything is getting tied together.

I will let you know Sunday/Monday what happens.

The location in question is a 4.5hr drive for me and I am down there a few times a year when needed for on-site support.  If not, we have remote tools setup to do most of the work.  Will kick myself if its an arp issue as I was just there last week to test this at night, and could have rebooted the providers equipment then.

Again thank you for all the help.

Ken~

Hi Tim,

I made the cut last night by changing my default route to point to the new inside ASA.  Then shutdown the outside of the old ASA.  Waited a few hours and boom!  My https://mail.mycompany.com started to work.

I tried to get a hold of the provider to have them bounce their equipment, but the tech didn't want to, so I just waited for the arp cache the clear.

Thank you again for all the help :)

Ken~

Beautiful. You're welcome, have a great week!

Regards,

Tim

Please rate useful posts and mark answers as correct.