05-27-2005 11:51 PM - edited 02-21-2020 12:10 AM
Hi Firewall Guru,
Anybody here can help me to set-up my cisco firewall to work for external outlook web access.I have changed some parameters and make it run internally.. however I can not access it externally.
This means, when I open outlook web access on our lan it works, but when I try to open it via internet ISP I can't open it.. "page can not be found"
Pls advice how did you resolved it thru pix firewall configuration if any of you encountered the same.
Any help is greatly appreciated.
Best Regards,
Jeric
Solved! Go to Solution.
05-31-2005 04:59 AM
Hi Jay,
thanks so much for participating on this conversation. in response to your querry, yes... I already created a CA for SSL authentication. just wondering why it is not working.. internally its ok the Outlook web access is working.. however those external user can not access it.. I have a good static translation created for my mail server and the public ip address i used is pingable over the internet..
I try to figure this out by checking microsoft website what else ports needed to be open.. but to date still couldnt find it.
any help on resolving this is greately appreciated.
Best Regards,
Jeric
05-31-2005 05:05 AM
Jeric,
OK, can you post to me your full pix config (take out any sensitive info), either here or to: jmia@ohgroup.co.uk
I'll take a closer look at it for you, I only deployed OWA for a customer of mine only last week using SSL via pix on port 443 and it is working fine.
Jay
05-31-2005 07:10 AM
Hi Jay,
pls find below config for your kind review.
hope you could help me resolve it.. i also send you a copy thru email.
looking forward to hear from you.
thanks,
jeric
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname InternetDoor
domain-name myCompany
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx1 eq smtp
access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx1 eq pop3
access-list 101 permit ip 172.xxx.1.0 255.255.255.0 172.xxx.2.0 255.255.255.0
access-list Vpn_mapping permit ip any 172.xxx.2.0 255.255.255.128
pager lines 24
logging timestamp
ip address outside XXX.XXX.XXX.XXX 255.255.255.252
ip address inside 172.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL XXX.XXX.XX.X-XXX.XXX.XX.X
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.1.4 pop3 netmask 255.255.255.255 0 0
access-group OUTGOING in interface outside
route outside 0.0.0.0 0.0.0.0 203.125.100.245 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server mycompany protocol radius
aaa-server mycompany (inside) host 1xx.xxx.xxx.xxx mycompany timeout 10
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
auth-prompt accept Welcome to my world !!
crypto ipsec transform-set MYSET esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10 set transform-set MYSET
crypto dynamic-map DYNMAP 30 match address Vpn_mapping
crypto dynamic-map DYNMAP 30 set transform-set ESP-3DES-MD5
crypto map MYMAP 10 ipsec-isakmp dynamic DYNMAP
crypto map MYMAP client configuration address initiate
crypto map MYMAP client configuration address respond
crypto map MYMAP client authentication mycompany
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address 172.xxx.x.x netmask 255.255.255.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup mycompany_VPN address-pool VPN_POOL
vpngroup mycompany_VPN dns-server 1xx.xxx.xxx.xxx xxx.xxx.xxx.xxx
vpngroup mycompany_VPN default-domain myCompany.com
vpngroup mycompany_VPN split-tunnel 101
vpngroup mycompany_VPN idle-time 1800
vpngroup mycompany_VPN password ********
ssh timeout 5
console timeout 0
username xxx password xxxx
privilege 15
terminal width 80
Cryptochecksum:xxxxx
: end
05-31-2005 09:42 AM
sorry, but i really do not understand you.
Where are the commands I asked you to add to configuration?
access-list OUTGOING permit tcp any host 2xx.1xx.xxx.xx6 eq 443
ip address outside 2xx.1xx.xxx.xx6 255.255.255.252
static (inside,outside) tcp interface 443 192.168.1.4 443 netmask 255.255.255.255 0 0
access-group OUTGOING in interface outside
05-31-2005 02:44 PM
Hi,
My apology I post the old config, Its already "in" after you ask me to put it in.
I intentionally put the old config so you can take a look on it to verify what else is missing.
But each entry you asked me to key in is already there. yet it is still not working.
hope you could help me find ways on fixing it..
thanks again for your help I really appreciate it.
Regards,
Jeric
06-01-2005 12:02 AM
please, post your running config...
06-01-2005 06:26 PM
06-02-2005 08:12 PM
06-01-2005 06:32 PM
I see your inside interface is 172.168.1.1, but your internal ip of server is 192.168.1.4. There is no route to the 192.168.1.0/24 network configured.
06-01-2005 06:59 PM
Hi,
thanks for participation. just want to correct it.. its not 172.168.1.1 its 192.168.1.1..pls check the latest attachement.
hope you could help out for this.
thanks,
Dennis
06-01-2005 08:14 PM
Hi Dennis,
I notice that the ACL_OUT permits www and tcp 135, but the static commands don't.
As there are no problems with smtp and pop3, and you're seeing acl matches on the https line, I'd examine the ssl configuration on your exchange server - verify it's listening on port 443.
Regards,
Rich
06-01-2005 09:12 PM
pls check the attachement for the updated configurations..
thanks so much for participating.
regards,
jeric
06-01-2005 08:54 PM
I think the problem is because you have following in the configuration
http server enable
http 192.168.1.0 255.255.255.0 inside
so you have run https server on the PIX
Here could be a conflict between "static" and "http server enable".
could you disable https on the pix?
no http server enable
06-01-2005 09:07 PM
Hi,
thanks, I will ask my boss first if I could disable it for testing..then I will tell you right away whats the result.
By the way, I noticed something.. can I put route command ? like "route x.x.x.x x.x.x.x" I am thinking of may be I should put static route entry for that.
pls advice..
thanks
Jeric
06-03-2005 07:35 PM
Jeric,
I am very surprised to read this thread. I really appreciate your effort on doing this task.
Listen to me, Remember I told you to add some static statement to make it work, but I did not tell you the port coz I am still searching for it.
I got a good conversation with Ken our cisco consultant. I show him the config and this is what Ken told me to do.
We miss this static entry.
static (inside,outside) tcp interface www inside_mail_server www netmask 255.255.255.255 0 0
also add the this access-list
access-list ACL_OUT permit tcp any host 203.125.100.246 eq www
Pls let me know the result. Hope it will run.
Pls do not forget to do "Clear Xlate" and save it.
See you soon.
Dennis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide