01-10-2007 11:47 AM - edited 03-11-2019 02:17 AM
We have a PIX501 in front of our Exchange Server running OWA. The site is a home office with one static IP address on the outside interface.
We can RDP through the firewall to the server, and we can telnet to port 25 on the server.
However, if we try to browse from an Internet-connected PC to OWA on the server, we get "page not found". Apparently we are missing a piece of the config required to make this work. Everything else works fine except for inbound port 80. (OWA works on the local area network (inside interface) so we think the Exchange piece is correct.)
The config follows. Thanks in advance for any help or suggestions!
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XXX.XXX.XXX 255.255.255.252
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.1.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
route inside 192.168.100.0 255.255.255.0 192.168.1.102 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
01-10-2007 11:54 AM
Have you tried disabling the http server on the 501?
01-11-2007 12:22 AM
Questions -
1. Can you actually telnet from a remote PC to port 443 using the public facing internet IP address (your pix outside interface IP)?
2. On your OWA server, is it set to listen on port 443 or is it still listening on port 80?
3. Are you using SSL certificates and if yes, has this been setup correctly?
4. When you initiate a connection from a remote PC are using IP address or domain name i.e. https://
Your configuration on the PIX looks ok to me, I suspect that this is more of an issue on the OWA server setup rather then the PIX.
Let me know.
Jay
01-11-2007 05:20 AM
Currently, SSL is not configured on the server so the answer is NO to your first 3 questions. For question 4, we have tried both but only on port 80.
OWA works fine on the inside LAN using port 80. That is the mystery to me - it works fine except when going through the firewall, but the firewall seems to be configured properly.
I believe that a certificate is being installed today so perhaps we'll be able to test 443 and see if that works.
Thanks!
01-11-2007 06:07 AM
You've just answered my question - on your access-list your specifing TCP port 443 as your not using SSL then you need to modify the ACL and static so that it reads:
access-list outside_access_in permit tcp any interface outside eq 80
static (inside,outside) tcp interface 80 192.168.1.10 80 netmask 255.255.255.255 0 0
Issue: wr m and clear xlate.
If you are now going to install a SSL cert then keep the config as is and make sure that your OWA server is listening on TCP port 443.
Please rate posts if it helps!!!
Jay
01-11-2007 08:29 AM
Are you saing that I cannot have port 80 and port 443 both opened and static-mapped to the server on 192.168.1.10?
In the config that I posted, I have the access-list list allowing port 80 and port 443. I also have statics translating them to the 192.168.1.10 address.
I have done the clear xlate many times with no change.
Thanks for your thoughts and suggestions! I really appreciate it.
01-11-2007 06:10 AM
Well there is your problem. On the firewall you have port 443 (https) open not 80 (http). So any connection attempt for port 443 will not work becuase the server isn't setup for ssl. And any connection to port 80 will not work becuase it is not open on the firewall.
Thanks,
Chad
Please rate if this helps!
01-11-2007 08:33 AM
Thanks for your comments.
In my original post, the configuration includes both access-list and static commands that allow ports 80 and 443 to enter through the outside interface, and then get translated to the server at 192.168.1.10.
Are you saying that those configuration lines are incorrect? Are they mutually exclusive?
To my understanding both ports are open on the firewall. If you don't mind, what am I not understanding?
Thanks!
01-11-2007 09:14 AM
I applogize. I mis-read the config file. The ACL and statics look fine.
I see you only have 1 external IP. Are there any other servers on the inside running web sites? Do a sh conn to see if any other devices have a connection on those ports.
Try looking at debugs to see if there are any errors.
Thanks,
Chad
01-12-2007 07:38 AM
Hello,
I have a site running OMA and OWA through a PIX 501. I have compared your config to that one and they match.
I would take out the fixup protocol http from your config and see if that improves the situation.
If you still cannot connect externally this points to the Exchange setup. The authentication settings for the site can be a problem, internally it may well authenticate you on cached credentials but when comming in externally this will not happen.
When you have your SSL cert, change to port 443 and set the authentication on the Exchange server to Integrated Windows Auth and Basic Auth. That should work then.
Andy.
01-12-2007 12:42 PM
Once the server administrator got the certificate installed, it all started working.
I'm not sure why it wouldn't work over port 80, but I suspect the OS or Exchange had issues with it.
FYI, removing the fixup protocol http 80 did not change anything. I tried it both ways on your suggestion.
Thanks to everyone for your thoughts and comments!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide