Solved: Publishing Exchange 2003 OWA on Internet

srsiddiqui2007 · ‎11-02-2011

Hey,

I am publishing my exchange server 2003 on the internet. my network design is like this

Internet -> Cisco ASA (Public IP) -> Exchange 2003 (Front-End Server) -> ISA 2000 -> Exchange 2003 (Back-End Server)

both the exchange server is working fine locallly but when i try to access my IIS on Exchange 2003 (Front-End Server) it gives me THE PAGE CANNOT BE DISPLAYED.

i have configured these commands on ASA

interface Ethernet0/0

nameif outside

security-level 0

ip address 180.92.xxx.xxx 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/2

nameif inside1

security-level 95

ip address 10.10.3.50 255.255.0.0

access-list 201 extended permit tcp any host 180.92.xxx.xxx eq www
access-list 201 extended permit tcp any host 180.92.xxx.xxx eq 443

access-group 201 in interface outside

global (outside) 1 interface

nat (inside) 1 10.10.0.0 255.255.0.0

static (inside,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.3.32 https netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 180.92.xxx.xxx

i have tried to access HTML page and exchange OWA as well but its not working

http://180.92.xxx.xxx http://180.92.xxx.xxx/exchange

both are not accessible

can anyone tell me what is wrong in my config and why am i unable to access the simple IIS startup page

Maykol Rojas · ‎11-03-2011

The default gateway should be the ASA, otherwise it will cause asymmetric routing which is not supported. Get the captures and I will look at them

Mike

View solution in original post

srsiddiqui2007 · ‎11-02-2011

......

mvsheik123 · ‎11-02-2011

Try by changing your static commads inside to inside1.

Thx

MS

srsiddiqui2007 · ‎11-02-2011

static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.255
static (inside1,outside) tcp interface https 10.10.3.32 https netmask 255.255.255.255

did it but still not able to access website through ASA

Maykol Rojas · ‎11-02-2011

Mmm, weird. Can you run a quick packet-tracer?

packet-tracer input outside tcp 4.2.2.2 1025 180.92.xxx.xxx 80

Paste the output here and we will rule out any possible config issue.

Mike

srsiddiqui2007 · ‎11-02-2011

tabba-asa(config)# packet-tracer input outside tcp 4.2.2.2 1025 180.92.156.138$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.25
5
match tcp inside1 host 10.10.3.32 eq 80 outside any
static translation to 180.92.xxx.xxx/80
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside1
Untranslate 180.92.xxx.xxx/80 to 10.10.3.32/80 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 201 in interface outside
access-list 201 extended permit tcp any host 180.92.xxx.xxx eq www
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.25
5
match tcp inside1 host 10.10.3.32 eq 80 outside any
static translation to 180.92.xxx.xxx/80
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.25
5
match tcp inside1 host 10.10.3.32 eq 80 outside any
static translation to 180.92.xxx.xxx/80
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44989, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.3.32 using egress ifc inside1
adjacency Active
next-hop mac address 001c.c067.f419 hits 0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside1
output-status: up
output-line-status: up
Action: allow

tabba-asa(config)# sh access-list

access-list 201 line 1 extended permit tcp any host 180.92.xxx.xxx eq www (hitcnt=6) 0x1b41318d

access-list 201 line 2 extended permit tcp any host 180.92.xxx.xxx eq https (hitcnt=0) 0x0a72fc63

tabba-asa(config)# sh conn

TCP outside 111.119.160.166:34523 inside1 10.10.3.32:80, idle 0:00:01, bytes 0,

flags SaAB TCP outside 111.119.160.166:34523 inside1 10.10.3.32:80, idle 0:00:01, bytes 0,
flags SaAB

Maykol Rojas · ‎11-02-2011

Everything points out that iw working properly. Please take captures as detailed below:

https://supportforums.cisco.com/docs/DOC-1222

Mike

srsiddiqui2007 · ‎11-02-2011

ok let me get these for you

https://ip_of_firewall/capture/out-cap/pcap

srsiddiqui2007 · ‎11-02-2011

Mike can you please guide me from where i have to access this page

https://ip_of_firewall/capture/in-cap/pcap
https://ip_of_firewall/capture/out-cap/pcap

srsiddiqui2007 · ‎11-02-2011

Ran the following commands and output files are attached

tabba-asa(config)# access-list cap-list permit tcp host 10.10.3.32 host 180.92.xxx.xxx eq 80

tabba-asa(config)# access-list cap-list permit tcp host 180.92.xxx.xxx eq 80 host 10.10.3.32

tabba-asa(config)# capture in-cap interface inside1 access-list cap-list buffer 1000000 packet 1522

tabba-asa(config)# capture out-cap interface outside access-list cap-list buffer 1000000 packet 1522

tabba-asa(config)# capture in-cap interface inside1 match tcp host 10.10.3.32 host 180.92.xxx.xxx eq 80

ERROR: A match and an access-list can not be configured on the same caputre.

tabba-asa(config)# no cap

tabba-asa(config)# no capture in

tabba-asa(config)# no capture in-cap

tabba-asa(config)# no capture out-cap

tabba-asa(config)#

Maykol Rojas · ‎11-02-2011

Captures appear to be broken and I cannot open them.... Warning, once you post the captures, we will be able to see the IP addresses.

Try something on your side, put a wireshark on the Server start it and put a filter using the IP address from where you are trying to connect, like this

ip.addr eq x.x.x.x

Where x.x.x.x is the IP from where you are trying to connect.

Mike

srsiddiqui2007 · ‎11-02-2011

i stopped the capture service after saving the capture files... do i need to give some more time to capture the data or i can stop the capture service as soon as i get the captures.

ok i will filter out the IP on wireshark

Maykol Rojas · ‎11-02-2011

The procedure is that you set the captures, then you open the web browser (from an outside machine) try to access, wait for it to timeout and then download the captures.

The best approach now, in order to avoid information disclosure is for you to put wireshark on the server, put the filter, send some packets and check if they reach the server.

Mike

srsiddiqui2007 · ‎11-02-2011

means after saving the captures i need to open the file on wireshark and then open the captures and filter out the IP

sorry to bother you as i am newbiew with Packet Analyzer

Maykol Rojas · ‎11-02-2011

Dont worry, we all were at some point.

That is something that I want to avoid. Go to the server that is hosting OWA, then start wireshark there (Capture, select interfaces and then select the nic card that has 10.10.3.32) once the capture starts, on the filter put the following value

ip.addr eq x.x.x.x

Select apply

x.x.x.x is the IP from where you are coming from. Once you start sending packets you should see the packets getting to the server.

That would give you more info.

Let me know.

Mike