Re: PIX 501 and OWA Config

mikeh · ‎01-10-2007

We have a PIX501 in front of our Exchange Server running OWA. The site is a home office with one static IP address on the outside interface.

We can RDP through the firewall to the server, and we can telnet to port 25 on the server.

However, if we try to browse from an Internet-connected PC to OWA on the server, we get "page not found". Apparently we are missing a piece of the config required to make this work. Everything else works fine except for inbound port 80. (OWA works on the local area network (inside interface) so we think the Exchange piece is correct.)

The config follows. Thanks in advance for any help or suggestions!

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_access_in permit tcp any interface outside eq 3389

access-list outside_access_in permit tcp any interface outside eq smtp

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside XXX.XXX.XXX.XXX 255.255.255.252

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0

static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

route inside 192.168.100.0 255.255.255.0 192.168.1.102 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

mmorris11 · ‎01-10-2007

Have you tried disabling the http server on the 501?

jmia · ‎01-11-2007

Questions -

1. Can you actually telnet from a remote PC to port 443 using the public facing internet IP address (your pix outside interface IP)?

2. On your OWA server, is it set to listen on port 443 or is it still listening on port 80?

3. Are you using SSL certificates and if yes, has this been setup correctly?

4. When you initiate a connection from a remote PC are using IP address or domain name i.e. https:///exchange OR https:///exchange?

Your configuration on the PIX looks ok to me, I suspect that this is more of an issue on the OWA server setup rather then the PIX.

Let me know.

Jay

mikeh · ‎01-11-2007

Currently, SSL is not configured on the server so the answer is NO to your first 3 questions. For question 4, we have tried both but only on port 80.

OWA works fine on the inside LAN using port 80. That is the mystery to me - it works fine except when going through the firewall, but the firewall seems to be configured properly.

I believe that a certificate is being installed today so perhaps we'll be able to test 443 and see if that works.

Thanks!

jmia · ‎01-11-2007

You've just answered my question - on your access-list your specifing TCP port 443 as your not using SSL then you need to modify the ACL and static so that it reads:

access-list outside_access_in permit tcp any interface outside eq 80

static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255 0 0

Issue: wr m and clear xlate.

If you are now going to install a SSL cert then keep the config as is and make sure that your OWA server is listening on TCP port 443.

Please rate posts if it helps!!!

Jay

mikeh · ‎01-11-2007

Are you saing that I cannot have port 80 and port 443 both opened and static-mapped to the server on 192.168.1.10?

In the config that I posted, I have the access-list list allowing port 80 and port 443. I also have statics translating them to the 192.168.1.10 address.

I have done the clear xlate many times with no change.

Thanks for your thoughts and suggestions! I really appreciate it.

cpembleton · ‎01-11-2007

Well there is your problem. On the firewall you have port 443 (https) open not 80 (http). So any connection attempt for port 443 will not work becuase the server isn't setup for ssl. And any connection to port 80 will not work becuase it is not open on the firewall.

Thanks,

Chad

Please rate if this helps!

mikeh · ‎01-11-2007

Thanks for your comments.

In my original post, the configuration includes both access-list and static commands that allow ports 80 and 443 to enter through the outside interface, and then get translated to the server at 192.168.1.10.

Are you saying that those configuration lines are incorrect? Are they mutually exclusive?

To my understanding both ports are open on the firewall. If you don't mind, what am I not understanding?

Thanks!

cpembleton · ‎01-11-2007

I applogize. I mis-read the config file. The ACL and statics look fine.

I see you only have 1 external IP. Are there any other servers on the inside running web sites? Do a sh conn to see if any other devices have a connection on those ports.

Try looking at debugs to see if there are any errors.

Thanks,

Chad

andyjames · ‎01-12-2007

Hello,

I have a site running OMA and OWA through a PIX 501. I have compared your config to that one and they match.

I would take out the fixup protocol http from your config and see if that improves the situation.

If you still cannot connect externally this points to the Exchange setup. The authentication settings for the site can be a problem, internally it may well authenticate you on cached credentials but when comming in externally this will not happen.

When you have your SSL cert, change to port 443 and set the authentication on the Exchange server to Integrated Windows Auth and Basic Auth. That should work then.

Andy.

mikeh · ‎01-12-2007

Once the server administrator got the certificate installed, it all started working.

I'm not sure why it wouldn't work over port 80, but I suspect the OS or Exchange had issues with it.

FYI, removing the fixup protocol http 80 did not change anything. I tried it both ways on your suggestion.

Thanks to everyone for your thoughts and comments!