Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1766
Views
5
Helpful
31
Replies

Outlook web access over pix firewall

Go to solution
jeric_saldua
Level 1
Level 1

‎05-27-2005 11:51 PM - edited ‎02-21-2020 12:10 AM

Hi Firewall Guru,

Anybody here can help me to set-up my cisco firewall to work for external outlook web access.I have changed some parameters and make it run internally.. however I can not access it externally.

This means, when I open outlook web access on our lan it works, but when I try to open it via internet ISP I can't open it.. "page can not be found"

Pls advice how did you resolved it thru pix firewall configuration if any of you encountered the same.

Any help is greatly appreciated.

Best Regards,

Jeric

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dennis-pelea
Level 1
Level 1
In response to jeric_saldua

‎06-03-2005 07:35 PM

Jeric,

I am very surprised to read this thread. I really appreciate your effort on doing this task.

Listen to me, Remember I told you to add some static statement to make it work, but I did not tell you the port coz I am still searching for it.

I got a good conversation with Ken our cisco consultant. I show him the config and this is what Ken told me to do.

We miss this static entry.

static (inside,outside) tcp interface www inside_mail_server www netmask 255.255.255.255 0 0

also add the this access-list

access-list ACL_OUT permit tcp any host 203.125.100.246 eq www

Pls let me know the result. Hope it will run.

Pls do not forget to do "Clear Xlate" and save it.

See you soon.

Dennis

View solution in original post

31 Replies 31

Go to solution
froggy3132000
Level 3
Level 3

‎05-28-2005 05:16 PM

post your config

0 Helpful

Go to solution
jeric_saldua
Level 1
Level 1
In response to froggy3132000

‎05-28-2005 07:00 PM

Hi,

pls find attached files.. hope you can help me on this.. right now.. i dont have problem on my internet, everything is ok.. mail server is ok.. when I access outlook web access internally no problem as well, my only problem is I can not open it outside our network.. but i can ping it from the outside.. which means the public ip address for my mail server is reachable from the outside.

hope you can help me on this.

regards,

jeric

Preview file
5 KB
0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to jeric_saldua

‎05-28-2005 08:06 PM

pls add the following

access-list ACL_OUT permit tcp any host 2xx.1xx.xxx.xx6 eq 443

ip address outside 2xx.1xx.xxx.xx6 255.255.255.252

static (inside,outside) tcp interface 443 192.168.1.4 443 netmask 255.255.255.255 0 0

access-group ACL_OUT in interface outside

0 Helpful

Go to solution
jeric_saldua
Level 1
Level 1
In response to a.alekseev

‎05-29-2005 07:35 PM

Hi,

thanks so much for your prompt response..I follow your suggested changes and tested it.. however it still not working..

pls check the config below.

names

name 192.168.1.4 inside_mail_server

access-list 101 permit ip 192.168.1.80 255.255.255.240 any

access-list 101 permit ip any 192.168.1.80 255.255.255.240

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq smtp

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq pop3

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq https

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq www

access-list ACL_OUT permit tcp any host 2xx.1xx.1xx.2xx eq 135

access-list ACL_OUT deny udp any any eq 1214

access-list ACL_OUT deny tcp any any eq 5000

access-list ACL_OUT deny tcp any any eq 11999

access-list ACL_OUT deny udp any any eq 5010

access-list ACL_OUT deny tcp any any eq 1214

access-list ACL_OUT deny tcp any any eq 1863

access-list outside_cryptomap_dyn_30 permit ip any 192.168.1.80 255.255.255.240

pager lines 24

ip address outside 2xx.1xx.1xx.2xx 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL 192.168.1.81-192.168.1.94

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp inside_mail_server smtp netmask 255.2

55.255.255 0 0

static (inside,outside) tcp interface pop3 inside_mail_server pop3 netmask 255.2

55.255.255 0 0

static (inside,outside) tcp interface https inside_mail_server https netmask 255

.255.255.255 0 0

access-group ACL_OUT in interface outside

Hope you could guide on how to resolve it.. additional information. I use 1 ip address only for outside xlation at the same time am using it for static mapping for my mail server inside.

I will look forward for your kind response.

Thank you so much.

Jeric

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to jeric_saldua

‎05-29-2005 08:48 PM

Did you try "clear xlate" after making some changes?

0 Helpful

Go to solution
jeric_saldua
Level 1
Level 1
In response to a.alekseev

‎05-29-2005 09:12 PM

Hi,

I did. but still page can not be displayed.

Thanks,

jeric

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to jeric_saldua

‎05-29-2005 09:29 PM

How did you check it?

0 Helpful

Go to solution
jeric_saldua
Level 1
Level 1
In response to a.alekseev

‎05-29-2005 10:17 PM

Hi,

My collegue is working at home and he is the one who is testing it. he test it by doing this > open internet explorer and on the address bar he type http:2xx.1xx.xxx.xx6/exchange (ip address for outlook web access). "page can not be displayed" . But he can ping the ip address.

Thanks for your kind assistance, I really appreciate your help.

Regards,

Jeric

0 Helpful

Go to solution
jeric_saldua
Level 1
Level 1
In response to a.alekseev

‎05-30-2005 12:18 AM

Hi,

thanks again for your prompt response.. I just try it but to no avail. same error...

regards

jeric

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to jeric_saldua

‎05-30-2005 12:39 AM

could you show

"sh access-list ACL_OUT"

do you see any macthes for "access-list ACL_OUT permit tcp any host 2xx.1xx.xxx.xx6 eq https"?

0 Helpful

Go to solution
jeric_saldua
Level 1
Level 1
In response to a.alekseev

‎05-30-2005 01:30 AM

Hi,

There's matches, but I think the matches came from internal users who access it on our LAN.

pls check below.

Firewall# sh access-list ACL_OUT

access-list ACL_OUT; 11 elements

access-list ACL_OUT line 1 permit tcp any host 2xx.1xx.xxx.xx6 eq smtp (hitcnt=4

71)

access-list ACL_OUT line 2 permit tcp any host 2xx.1xx.xxx.xx6 eq pop3 (hitcnt=0

)

access-list ACL_OUT line 3 permit tcp any host 2xx.1xx.xxx.xx6 eq https (hitcnt=

19)

access-list ACL_OUT line 4 permit tcp any host 2xx.1xx.xxx.xx6 eq www (hitcnt=0)

access-list ACL_OUT line 5 permit tcp any host 2xx.1xx.xxx.xx6 eq 135 (hitcnt=0)

access-list ACL_OUT line 6 deny udp any any eq 1214 (hitcnt=0)

access-list ACL_OUT line 7 deny tcp any any eq 5000 (hitcnt=0)

access-list ACL_OUT line 8 deny tcp any any eq 11999 (hitcnt=0)

access-list ACL_OUT line 9 deny udp any any eq 5010 (hitcnt=0)

access-list ACL_OUT line 10 deny tcp any any eq 1214 (hitcnt=0)

access-list ACL_OUT line 11 deny tcp any any eq 1863 (hitcnt=0)

thanks

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to jeric_saldua

‎05-30-2005 02:15 AM

on 192.168.1.4 could you show

"ipconfig /all"

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to jeric_saldua

‎05-30-2005 11:36 PM

Jeric,

Q. On your internal exchange server have you created a CA (Certificate Authority) for SSL authentication? As traffic is reaching your outside interface of pix for port 443.

And I presume you have the apporiate static translation setup for this traffic?

Jay

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card