Showing results for 
Search instead for 
Did you mean: 

unable to access external owa through guest network on wifi



I have setup guest network on our access point, traffic for which goes to second interface on asa and from there to outside. Internet works perfectly and all other websites that are out open without any issues, except the external owa url which is mapped to an internal private ip. so people who are using acrtivesync on the guest network, emails dont work either.

any suggestions. I am not that familiar with the asa. However did find a suggestion when i googled, which did mention about adding a static NAT for inside,guest .

static (inside,inside2) tcp https 192.xx.xx.xx https netmask

there is another static nat already for inside,outside( with the public and the internal ip address of the mail server with https and smtp allowed.

Not sure if it is only the NAT but the routing as well that needs to be done. Also how would i enable ICMP on the guest network interface on the asa. it says it is currently blocked by incoming rule configure on the outside interface.

Guidnace is highly appreciated. I have put the config below.


interface Ethernet0/2

switchport access vlan 50


interface Vlan2

nameif outside

security-level 0

ip address


interface Vlan30

nameif inside

security-level 100

ip address yyy.yyy.yy.yyy


interface Vlan50

nameif inside2

security-level 100

ip address zzz.zzz.zz.zzz


interface Vlan60

nameif DMZ

security-level 50

ip address rrr.rrr.rr.rrr


boot system disk0:/asa825-k8.bin

object-group network obj_any

object-group network VIA-LL

network-object host

network-object host

network-object host

object-group network adj_any

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

access-list Data1 extended permit ip any any

access-list outside-in extended permit tcp any host(exchangepublicIP) eq https

access-list outside-in extended permit tcp any host (exchangepublicip) eq smtp

access-list outside-in extended permit ip

access-list outside-in extended permit object-group DM_INLINE_SERVICE_1 any host (FTP)

access-list inside_nat0_outbound extended permit ip any

access-list inside_nat0_outbound extended permit ip

access-list VIA-LL extended permit ip object-group VIA-LL any

access-list ciscoasa_splitTunnelAcl standard permit

access-list ciscoasa_splitTunnelAcl remark serverlan

access-list ciscoasa_splitTunnelAcl standard permit

access-list Data2 extended permit object-group DM_INLINE_PROTOCOL_1 any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside2 1500

mtu DMZ 1500

ip local pool VPN_Pool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 (exchangepublicIP)

global (outside) 20 (outgoingPUblicipNAT)

global (outside) 30 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 30 access-list VIA-LL

nat (inside) 10

nat (inside) 20

nat (inside2) 0 access-list inside_nat0_outbound

nat (inside2) 20

static (inside,outside) exchangepublicIP netmask

static (DMZ,outside) FTP netmask

static (inside,DMZ) netmask

access-group outside-in in interface outside

access-group Data1 in interface inside

access-group Data2 in interface inside2

route outside RouterOutInterfaceIP 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map Banner1



4 Replies 4

Add another access-list entry permitting smtp traffic to actual real IP of your exchange server which is

Access-list outside-in ext permit tcp any host eq smtp

This will resolve the issue. Since we are natting public IP to internal exchange server IP, we have to allow traffic which is actually going to the internal server from outside.


Sent from Cisco Technical Support iPhone App


Just wanted to confirm,

arent these two lines in the config doing teh same thing.

access-list outside-in extended permit tcp any host (exchangepublicIP) eq https

access-list outside-in extended permit tcp any host (exchangepublicip) eq smtp

since the public IP is already natted to the internal server IP address.

thanks again.

i have tried adding the access list , but didnt work. i tried a packet trace and it shows the following result. says acl caused drop.

I have tried adding the acl to allow 443 on the guest interface inside2, but no luck.

packet-tracer in inside2 tcp https public IP address) https

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW


static (inside,inside2) tcp https https netmask 25


  match tcp inside host eq 443 inside2 any

    static translation to

    translate_hits = 0, untranslate_hits = 46

Additional Information:

NAT divert to egress interface inside

Untranslate to using netmask

Phase: 2



Result: DROP


Implicit Rule

Additional Information:


input-interface: inside2

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

any suggestion on what is going wrong. when i try a ping to from the inside2(guest interface), it shows about some routing issue.

static (inside,inside2) tcp https https netmask 25


for communications to be allowed between same security interfaces, you need to enable this (run this command in global configuration mode):

same-security-traffic permit inter-interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers