What is my guest network missing for clients to be able to connect to our Exchange server?

Brad Hodgins · ‎11-20-2014

I've been trying to figure this our for a while now looking everywhere, so I'm not sure if I am missing something or just not phrasing my search criteria properly:

Guests on the mobile guest network are unable to connect to the exchange server via the outside interface for some reason. The guests obtain an ip address from the 'guest' interface of the ASA using the ISP DNS. From the illustration how do I get 192.168.10.25 (which becomes 158.132.231.144) to connect to 158.131.231.145 which has a PAT translation to 192.168.1.9 (exchange).

5510 ifs are:

0 - outside level 0
1 - inside level 100 VLAN50
2 - guest network level 30 VLAN 10

Thanks in advance!

Murali · ‎11-21-2014

Hello,

What is the security levels of guest and the interface Exchange server connected to ? Please post if possible NAT config of exchange server and Guest interface.

Thanks

Murali

Brad Hodgins · ‎11-21-2014

Hi,

Guest network interface security level is 30
Exchange is on the inside int, security level 100

Here is the relevant config, please let me know if I'm missing anything:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.4 255.255.252.0

interface Ethernet0/2.10
description MobileDeviceNetwork, Guest Devices
vlan 10
nameif MobileDevPort
security-level 30
ip address 192.168.10.4 255.255.255.0

object network Exchange1
host 192.168.1.9

object network MobileDevNet
subnet 192.168.10.0 255.255.255.0

object network MR_SPAM
host 192.168.1.244

object network Mobiles
nat (any,outside) dynamic interface

object network Barracuda_SPAM
nat (any,any) static Outside_IP-145(Exchange) service tcp smtp smtp

object network VSHQEXCAHT-01
nat (inside,outside) static Outside_IP-145(Exchange) service tcp https https

object network Main_internal-external_NAT
nat (inside,outside) dynamic interface dns

route outside 0.0.0.0 0.0.0.0 158.131.231.143 1 track 1
route inside 192.168.0.0 255.255.252.0 192.168.50.250 1

dhcpd address 192.168.10.30-192.168.10.200 MobileDevPort
dhcpd dns 24.14.163.190 24.183.90.190 interface MobileDevPort
dhcpd lease 86400 interface MobileDevPort
dhcpd enable MobileDevPort

access-list MobileDevPort_access_in extended permit tcp object MobileDevNet any object-group Web_Services (80 and 443)

Murali · ‎11-23-2014

Hi,

From the configuration i can see you only allowed ports 80,443 on the MobileDevPort interface (i'm assuming it's Guest network ?) .

First you should allow mail traffic on the guest as well as inside interface. In the post you've mentioned Guest network is Nated ? is that right ? For accessing the internal exchange server i dont think you need public ip right. ( I'm not sure about the setup).

Thanks

Murali

Brad Hodgins · ‎12-06-2014

uda,

The mobile clients get their IP via DHCP from the ASA. The DNS assigned via this process are those of our ISP. The mobile devices (smartphones and laptops) attempt to connect to mail.ourcompanyname.com which translates to the public IP.

Opening a path between the guest mobile network and the internal network may be acceptable for Activesync on 443, but I don't want them to use our internal DNS server as well.

I'm still not sure how to make this work...

B

Brad Hodgins · ‎12-05-2014

I see what the problem is now, but I'm still not sure how to fix it. When I remove PAT and enable DNS doctoring, the Exchange access from the mobile guest network performs flawlessly. But then mail no longer comes in.

The problem is that I cannot do DNS doctoring and PAT on the same interface. Yet I need to leave PAT in place. 158.131.231.145 translates traffic on port 25 to our SPAM appliance at 192.168.1.244 and traffic destined for port 443 is translated to our Exchange front end 192.168.1.9.

Is there another way this can be done? I need to guest mobile network to be able to access the Exchange server. I don't have another spare public IP laying around.

B