Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
10
Replies

Remote location OWA problem with ASA 5510

Go to solution
ddevecka
Level 1
Level 1

‎01-18-2011 12:20 PM - edited ‎03-11-2019 12:36 PM

We have a network head end in the US where we have a Block of outside IP that we do NAT's with. I used one of these IP's to NAT an exchange server in germany. Our germany office connects via MPLS to the network head end. In germany we have a DSL for internet traffic with a ASA 5510 protecting it then all other traffic is sent back the MPLS line to the US and other location. The problem is the NAT I set up for the OWA part for the server in germany doesnt't work with the default route in the router pointing to the firewall, but when I direct all traffic to the MPLS cloud OWA works fine. I know I am missinf something stupid on this but I can't figure this out. Can anyone help point me in the correct direction? Again the DSL is just for Internet surfing becasuae of the German Language. The default route in the router points to the firewall and I have static routes pointing to the MPLS next hop router for all other traffic.

Thanks,

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ddevecka

‎01-18-2011 02:06 PM

OK. If you have multiple next hops from that router, then you can do the following:

access-list 101 permit ip host "OWA Server IP" "Remote network 1" "mask"


access-list 102 permit ip host "OWA Server IP" any


route-map OWA  deny 1

match ip address 101


route-map OWA  permit 1

match ip address 102

set ip next-hop "next hop for MPLS Cloud"

For every remote network that gets routed by the router on a path other than MPLS next hop, configure an access-list entry. In that way, the router will bypass Policy for those destinations from the OWA server.

Or you can also configure one access-list with deny statements at the top with a permit at the bottom.

access-list 102 permit ip host "OWA Server IP" "Remote network 1"  "mask"

access-list 102 permit ip host "OWA Server IP"  any


route-map OWA  permit 1

match ip address 102

set ip next-hop "next hop for MPLS Cloud"

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎01-18-2011 12:27 PM

You need to configure PBR on the router to route all traffic from OWA server to MPLS cloud. Please try the following:

access-list 1 permit host "OWA Server IP"

route-map OWA

match ip address 1

set ip next-hop "MPLS Cloud next hop"

exit

interface "LAN side interface id"

ip policy route-map OWA
exit

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
ddevecka
Level 1
Level 1
In response to Nagaraja Thanthry

‎01-18-2011 12:31 PM

so do this on the router not the firewall?

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ddevecka

‎01-18-2011 12:37 PM

Yes.

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ddevecka

‎01-18-2011 12:37 PM

Yes. The router supports policy based routing while the ASA does not.

Regards,

NT

0 Helpful

Go to solution
ddevecka
Level 1
Level 1
In response to Nagaraja Thanthry

‎01-18-2011 12:59 PM

Will this hurt the local exchange functionallity in the germany office or is just a help to get it flowing back to the MPLS cloud? Again if I set the default route to point to the MPLS cloud it works, but when I set it to point to the Firewall to allow to surf the net from the DSL to get all web sites in german it stops working. I just don't get why is is breaking because the static routes should tell it to head back to the MPLS cloud to get out.

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ddevecka

‎01-18-2011 01:07 PM

The reason it is not working is because, when a client on the internet requests to connect to the OWA server, it will come to your main office ASA. The ASA will translate the destination IP to the actual IP of the OWA server and sends the request via MPLS cloud towards the server. Server will process the request, form a response and sends it towards the client. The router will look-up the destination IP and determines it to be on the internet. Since there is no specific route to the destination, it will use the default route and sends it to the ASA. Now the ASA will also lookup its default gateway and finds that the next hop is DSL. So, it will have to forward the response packet via its outside interface (connected to DSL). But before that, the ASA will lookup its connection table to see if the reply packet belongs to any open connection. Since there is no open connection related to that response, as a security measure, the firewall will drop the packet.

If you use the PBR on the router, it will not hurt the local LAN OWA access. I am assuming that nobody will be accessing the OWA server using the local ASA. If they do, then the PBR configuration should change accordingly.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
ddevecka
Level 1
Level 1
In response to Nagaraja Thanthry

‎01-18-2011 01:26 PM

One last question will this affect a connection in germany via standard outlook connection. I just want to verify that this will only affect OWA and not people connecting to exchange via outlok locally.

Thanks for all the information.

I will post whether this fixes it or not.

Dan

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ddevecka

‎01-18-2011 01:33 PM

The clients who are accessing the server using standard outlook client are behind the router. Is that correct? As long as their traffic is not passing via the router where you are configuring PBR, there will not be any issues. But if any of those packets traverse through the router where you are configuring PBR, then it will not work.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
ddevecka
Level 1
Level 1
In response to Nagaraja Thanthry

‎01-18-2011 01:39 PM

If they are at other offices they will be running across the router. Or if they connect via the VPN in the US they will also be running across the VPN.

Dan

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to ddevecka

‎01-18-2011 02:06 PM

OK. If you have multiple next hops from that router, then you can do the following:

access-list 101 permit ip host "OWA Server IP" "Remote network 1" "mask"


access-list 102 permit ip host "OWA Server IP" any


route-map OWA  deny 1

match ip address 101


route-map OWA  permit 1

match ip address 102

set ip next-hop "next hop for MPLS Cloud"

For every remote network that gets routed by the router on a path other than MPLS next hop, configure an access-list entry. In that way, the router will bypass Policy for those destinations from the OWA server.

Or you can also configure one access-list with deny statements at the top with a permit at the bottom.

access-list 102 permit ip host "OWA Server IP" "Remote network 1"  "mask"

access-list 102 permit ip host "OWA Server IP"  any


route-map OWA  permit 1

match ip address 102

set ip next-hop "next hop for MPLS Cloud"

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card