Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1789
Views
0
Helpful
4
Replies

unable to access external owa through guest network on wifi

mipl45023
Level 1
Level 1

‎07-24-2013 04:44 AM - edited ‎03-04-2019 08:32 PM

Greetings,

I have setup guest network on our access point, traffic for which goes to second interface on asa and from there to outside. Internet works perfectly and all other websites that are out open without any issues, except the external owa url which is mapped to an internal private ip. so people who are using acrtivesync on the guest network, emails dont work either.

any suggestions. I am not that familiar with the asa. However did find a suggestion when i googled, which did mention about adding a static NAT for inside,guest .

static (inside,inside2) tcp 83.xx.xxx.xxx https 192.xx.xx.xx https netmask 255.255.255.255

there is another static nat already for inside,outside( with the public and the internal ip address of the mail server with https and smtp allowed.

Not sure if it is only the NAT but the routing as well that needs to be done. Also how would i enable ICMP on the guest network interface on the asa. it says it is currently blocked by incoming rule configure on the outside interface.

Guidnace is highly appreciated. I have put the config below.

!

interface Ethernet0/2

switchport access vlan 50

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xxx.xx.xxx 255.255.255.248

!

interface Vlan30

nameif inside

security-level 100

ip address yyy.yyy.yy.yyy 255.255.255.0

!

interface Vlan50

nameif inside2

security-level 100

ip address zzz.zzz.zz.zzz 255.255.255.0

!

interface Vlan60

nameif DMZ

security-level 50

ip address rrr.rrr.rr.rrr 255.255.255.0

!

boot system disk0:/asa825-k8.bin

object-group network obj_any

object-group network VIA-LL

network-object host

network-object host

network-object host

object-group network adj_any

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list Data1 extended permit ip any any

access-list outside-in extended permit tcp any host(exchangepublicIP) eq https

access-list outside-in extended permit tcp any host (exchangepublicip) eq smtp

access-list outside-in extended permit ip 192.168.100.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside-in extended permit object-group DM_INLINE_SERVICE_1 any host (FTP)

access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.100.0 255.255.255.224

access-list VIA-LL extended permit ip object-group VIA-LL any

access-list ciscoasa_splitTunnelAcl standard permit 192.168.30.0 255.255.255.0

access-list ciscoasa_splitTunnelAcl remark serverlan

access-list ciscoasa_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list Data2 extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside2 1500

mtu DMZ 1500

ip local pool VPN_Pool 192.168.100.5-192.168.100.30 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 (exchangepublicIP)

global (outside) 20 (outgoingPUblicipNAT)

global (outside) 30 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 30 access-list VIA-LL

nat (inside) 10 192.168.20.40 255.255.255.255

nat (inside) 20 0.0.0.0 0.0.0.0

nat (inside2) 0 access-list inside_nat0_outbound

nat (inside2) 20 192.168.50.0 255.255.255.0

static (inside,outside) exchangepublicIP 192.168.20.40 netmask 255.255.255.255

static (DMZ,outside) FTP 192.168.200.2 netmask 255.255.255.255

static (inside,DMZ) 192.168.200.0 192.168.30.0 netmask 255.255.255.0

access-group outside-in in interface outside

access-group Data1 in interface inside

access-group Data2 in interface inside2

route outside 0.0.0.0 0.0.0.0 RouterOutInterfaceIP 1

route inside 192.168.20.0 255.255.255.0 192.168.30.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map Banner1

Regards,

Raj

Labels:
0 Helpful
4 Replies 4

santosh.g.byahatti
Level 1
Level 1

‎07-24-2013 12:07 PM

Add another access-list entry permitting smtp traffic to actual real IP of your exchange server which is 192.168.20.40

Access-list outside-in ext permit tcp any host 192.168.20.40 eq smtp

This will resolve the issue. Since we are natting public IP to internal exchange server IP, we have to allow traffic which is actually going to the internal server from outside.

HTH

Sent from Cisco Technical Support iPhone App

0 Helpful

mipl45023
Level 1
Level 1
In response to santosh.g.byahatti

‎07-24-2013 11:46 PM

Hi,

Just wanted to confirm,

arent these two lines in the config doing teh same thing.

access-list outside-in extended permit tcp any host (exchangepublicIP) eq https

access-list outside-in extended permit tcp any host (exchangepublicip) eq smtp

since the public IP is already natted to the internal server IP address.

thanks again.

0 Helpful

mipl45023
Level 1
Level 1
In response to mipl45023

‎07-27-2013 11:44 AM

i have tried adding the access list , but didnt work. i tried a packet trace and it shows the following result. says acl caused drop.

I have tried adding the acl to allow 192.168.20.40 443 on the guest interface inside2, but no luck.

packet-tracer in inside2 tcp 192.168.50.22 https 83.43.44.45(exchange public IP address) https

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,inside2) tcp 83.43.44.45 https 192.168.20.40 https netmask 25

255.255.255

  match tcp inside host 192.168.20.40 eq 443 inside2 any

    static translation to 83.43.44.45/443

    translate_hits = 0, untranslate_hits = 46

Additional Information:

NAT divert to egress interface inside

Untranslate 83.43.44.45/443 to 192.168.20.40/443 using netmask 255.255.255.2

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside2

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

any suggestion on what is going wrong. when i try a ping to 192.168.20.40 from the inside2(guest interface), it shows about some routing issue.

0 Helpful

thomas.g.fan
Level 1
Level 1
In response to mipl45023

‎07-28-2013 07:15 PM 

static (inside,inside2) tcp 83.43.44.45 https 192.168.20.40 https netmask 25
255.255.255

for communications to be allowed between same security interfaces, you need to enable this (run this command in global configuration mode):

same-security-traffic permit inter-interface

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card