05-27-2005 11:51 PM - edited 02-21-2020 12:10 AM
Hi Firewall Guru,
Anybody here can help me to set-up my cisco firewall to work for external outlook web access.I have changed some parameters and make it run internally.. however I can not access it externally.
This means, when I open outlook web access on our lan it works, but when I try to open it via internet ISP I can't open it.. "page can not be found"
Pls advice how did you resolved it thru pix firewall configuration if any of you encountered the same.
Any help is greatly appreciated.
Best Regards,
Jeric
Solved! Go to Solution.
06-03-2005 07:35 PM
Jeric,
I am very surprised to read this thread. I really appreciate your effort on doing this task.
Listen to me, Remember I told you to add some static statement to make it work, but I did not tell you the port coz I am still searching for it.
I got a good conversation with Ken our cisco consultant. I show him the config and this is what Ken told me to do.
We miss this static entry.
static (inside,outside) tcp interface www inside_mail_server www netmask 255.255.255.255 0 0
also add the this access-list
access-list ACL_OUT permit tcp any host 203.125.100.246 eq www
Pls let me know the result. Hope it will run.
Pls do not forget to do "Clear Xlate" and save it.
See you soon.
Dennis
05-28-2005 05:16 PM
post your config
05-28-2005 07:00 PM
Hi,
pls find attached files.. hope you can help me on this.. right now.. i dont have problem on my internet, everything is ok.. mail server is ok.. when I access outlook web access internally no problem as well, my only problem is I can not open it outside our network.. but i can ping it from the outside.. which means the public ip address for my mail server is reachable from the outside.
hope you can help me on this.
regards,
jeric
05-28-2005 08:06 PM
pls add the following
access-list ACL_OUT permit tcp any host 2xx.1xx.xxx.xx6 eq 443
ip address outside 2xx.1xx.xxx.xx6 255.255.255.252
static (inside,outside) tcp interface 443 192.168.1.4 443 netmask 255.255.255.255 0 0
access-group ACL_OUT in interface outside
05-29-2005 07:35 PM
Hi,
thanks so much for your prompt response..I follow your suggested changes and tested it.. however it still not working..
pls check the config below.
names
name 192.168.1.4 inside_mail_server
access-list 101 permit ip 192.168.1.80 255.255.255.240 any
access-list 101 permit ip any 192.168.1.80 255.255.255.240
access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq smtp
access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq pop3
access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq https
access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq www
access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq 135
access-list ACL_OUT deny udp any any eq 1214
access-list ACL_OUT deny tcp any any eq 5000
access-list ACL_OUT deny tcp any any eq 11999
access-list ACL_OUT deny udp any any eq 5010
access-list ACL_OUT deny tcp any any eq 1214
access-list ACL_OUT deny tcp any any eq 1863
access-list outside_cryptomap_dyn_30 permit ip any 192.168.1.80 255.255.255.240
pager lines 24
ip address outside 2xx.1xx.1xx.2xx 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 192.168.1.81-192.168.1.94
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp inside_mail_server smtp netmask 255.2
55.255.255 0 0
static (inside,outside) tcp interface pop3 inside_mail_server pop3 netmask 255.2
55.255.255 0 0
static (inside,outside) tcp interface https inside_mail_server https netmask 255
.255.255.255 0 0
access-group ACL_OUT in interface outside
Hope you could guide on how to resolve it.. additional information. I use 1 ip address only for outside xlation at the same time am using it for static mapping for my mail server inside.
I will look forward for your kind response.
Thank you so much.
Jeric
05-29-2005 08:48 PM
Did you try "clear xlate" after making some changes?
05-29-2005 09:12 PM
Hi,
I did. but still page can not be displayed.
Thanks,
jeric
05-29-2005 09:29 PM
How did you check it?
05-29-2005 10:17 PM
Hi,
My collegue is working at home and he is the one who is testing it. he test it by doing this > open internet explorer and on the address bar he type http:2xx.1xx.xxx.xx6/exchange (ip address for outlook web access). "page can not be displayed" . But he can ping the ip address.
Thanks for your kind assistance, I really appreciate your help.
Regards,
Jeric
05-29-2005 11:41 PM
use HTTPS
05-30-2005 12:18 AM
Hi,
thanks again for your prompt response.. I just try it but to no avail. same error...
regards
jeric
05-30-2005 12:39 AM
could you show
"sh access-list ACL_OUT"
do you see any macthes for "access-list ACL_OUT permit tcp any host 2xx.1xx.xxx.xx6 eq https"?
05-30-2005 01:30 AM
Hi,
There's matches, but I think the matches came from internal users who access it on our LAN.
pls check below.
Firewall# sh access-list ACL_OUT
access-list ACL_OUT; 11 elements
access-list ACL_OUT line 1 permit tcp any host 2xx.1xx.xxx.xx6 eq smtp (hitcnt=4
71)
access-list ACL_OUT line 2 permit tcp any host 2xx.1xx.xxx.xx6 eq pop3 (hitcnt=0
)
access-list ACL_OUT line 3 permit tcp any host 2xx.1xx.xxx.xx6 eq https (hitcnt=
19)
access-list ACL_OUT line 4 permit tcp any host 2xx.1xx.xxx.xx6 eq www (hitcnt=0)
access-list ACL_OUT line 5 permit tcp any host 2xx.1xx.xxx.xx6 eq 135 (hitcnt=0)
access-list ACL_OUT line 6 deny udp any any eq 1214 (hitcnt=0)
access-list ACL_OUT line 7 deny tcp any any eq 5000 (hitcnt=0)
access-list ACL_OUT line 8 deny tcp any any eq 11999 (hitcnt=0)
access-list ACL_OUT line 9 deny udp any any eq 5010 (hitcnt=0)
access-list ACL_OUT line 10 deny tcp any any eq 1214 (hitcnt=0)
access-list ACL_OUT line 11 deny tcp any any eq 1863 (hitcnt=0)
thanks
05-30-2005 02:15 AM
on 192.168.1.4 could you show
"ipconfig /all"
05-30-2005 11:36 PM
Jeric,
Q. On your internal exchange server have you created a CA (Certificate Authority) for SSL authentication? As traffic is reaching your outside interface of pix for port 443.
And I presume you have the apporiate static translation setup for this traffic?
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide