Jeric,

OK, can you post to me your full pix config (take out any sensitive info), either here or to: jmia@ohgroup.co.uk

I'll take a closer look at it for you, I only deployed OWA for a customer of mine only last week using SSL via pix on port 443 and it is working fine.

Jay

Hi Jay,

pls find below config for your kind review.

hope you could help me resolve it.. i also send you a copy thru email.

looking forward to hear from you.

thanks,

jeric

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname InternetDoor

domain-name myCompany

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx1 eq smtp

access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx1 eq pop3

access-list 101 permit ip 172.xxx.1.0 255.255.255.0 172.xxx.2.0 255.255.255.0

access-list Vpn_mapping permit ip any 172.xxx.2.0 255.255.255.128

pager lines 24

logging timestamp

ip address outside XXX.XXX.XXX.XXX 255.255.255.252

ip address inside 172.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_POOL XXX.XXX.XX.X-XXX.XXX.XX.X

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pop3 192.168.1.4 pop3 netmask 255.255.255.255 0 0

access-group OUTGOING in interface outside

route outside 0.0.0.0 0.0.0.0 203.125.100.245 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server mycompany protocol radius

aaa-server mycompany (inside) host 1xx.xxx.xxx.xxx mycompany timeout 10

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

auth-prompt accept Welcome to my world !!

crypto ipsec transform-set MYSET esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP 10 set transform-set MYSET

crypto dynamic-map DYNMAP 30 match address Vpn_mapping

crypto dynamic-map DYNMAP 30 set transform-set ESP-3DES-MD5

crypto map MYMAP 10 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP client configuration address initiate

crypto map MYMAP client configuration address respond

crypto map MYMAP client authentication mycompany

crypto map MYMAP interface outside

isakmp enable outside

isakmp key ******** address 172.xxx.x.x netmask 255.255.255.0

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup mycompany_VPN address-pool VPN_POOL

vpngroup mycompany_VPN dns-server 1xx.xxx.xxx.xxx xxx.xxx.xxx.xxx

vpngroup mycompany_VPN default-domain myCompany.com

vpngroup mycompany_VPN split-tunnel 101

vpngroup mycompany_VPN idle-time 1800

vpngroup mycompany_VPN password ********

ssh timeout 5

console timeout 0

username xxx password xxxx

privilege 15

terminal width 80

Cryptochecksum:xxxxx

: end

sorry, but i really do not understand you.

Where are the commands I asked you to add to configuration?

access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx6 eq 443

ip address outside 2xx.1xx.xxx.xx6 255.255.255.252

static (inside,outside) tcp interface 443 192.168.1.4 443 netmask 255.255.255.255 0 0

access-group OUTGOING in interface outside

Hi,

My apology I post the old config, Its already "in" after you ask me to put it in.

I intentionally put the old config so you can take a look on it to verify what else is missing.

But each entry you asked me to key in is already there. yet it is still not working.

hope you could help me find ways on fixing it..

thanks again for your help I really appreciate it.

Regards,

Jeric

please, post your running config...

Hi,

Pls find below the config. I intentionally did not put the public ip address for security reason..

this is the actual running configuration. pls check attached files.

hope you could help out fix the problem

thanks again for helping out on solving this.

regards,

jeric

here it is.pls, find attached files.. this is the running config

awaiting for your kind help to resolve the problem

thanks,

Jeric

I see your inside interface is 172.168.1.1, but your internal ip of server is 192.168.1.4. There is no route to the 192.168.1.0/24 network configured.

Hi,

thanks for participation. just want to correct it.. its not 172.168.1.1 its 192.168.1.1..pls check the latest attachement.

hope you could help out for this.

thanks,

Dennis

Hi Dennis,

I notice that the ACL_OUT permits www and tcp 135, but the static commands don't.

As there are no problems with smtp and pop3, and you're seeing acl matches on the https line, I'd examine the ssl configuration on your exchange server - verify it's listening on port 443.

Regards,

Rich

pls check the attachement for the updated configurations..

thanks so much for participating.

regards,

jeric

I think the problem is because you have following in the configuration

http server enable

http 192.168.1.0 255.255.255.0 inside

so you have run https server on the PIX

Here could be a conflict between "static" and "http server enable".

could you disable https on the pix?

no http server enable

Hi,

thanks, I will ask my boss first if I could disable it for testing..then I will tell you right away whats the result.

By the way, I noticed something.. can I put route command ? like "route x.x.x.x x.x.x.x" I am thinking of may be I should put static route entry for that.

pls advice..

thanks

Jeric