exchange server 2003 problem

syed_khalid_khursheed · ‎10-05-2007

hi to all,

we have an exchange server 2003 at head office. this server is also configured as domain controller and dns server. Exchange server is configured with Global Address List option which allow the clients(Outlook 2003) to download all address in the address book automatically.

Remote site connects to head office using ipsec vpn to head office perimeter router, then it passes through ASA and finally to exchange server(cum DC+DNS).

I have checked by joining the remote site PCs to domain and it works fine which means dns is working also.

But when it select Exchange Server option in Outlook 2003, it is able resolve FQDN of exchange server but following the FINISH button, outlook hangs for a long time (15-20min) and finally it says that it is unable to connect to Exchange server.

HELP NEEDED!!!

Danilo Dy · ‎10-06-2007

Hi,

Have you established if its a network (including firewall and DNS) or application problem?

Question on DNS, is it both Local and Internet DNS? FYI, the lookup might be pointing to the Public FQDN which is mapped to Public IP Address, but since your connectivity seems to be Private (considering you have S2S VPN) after the lookup, the application might be trying to connect to local IP Address which is Private. Check your DNS setup to make sure Public Query goes to Public DNS zone while Private query goes to Private DNS zone.

Beside the DNS mentione above, did you gather any forensic evidence from the firewall of any drop packet/connection that may point you to the problem (i.e. needed ports are block in the firewall).

Regards,

Dandy

syed_khalid_khursheed · ‎10-07-2007

BRANCH OFFICE CONFIG:-

ip name-server 192.168.100.20

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key Branch@HO123 address 192.168.10.1

crypto ipsec transform-set Branch_VPN esp-3des esp-md5-hmac

crypto map Branch_VPN 10 ipsec-isakmp

set peer 192.168.10.1

set transform-set fdib_VPN

match address Branch_IPSEC

interface FastEthernet0/0

no ip address

duplex auto

speed auto

interface FastEthernet0/0.1

description ** Data VLAN **

encapsulation dot1Q 100

ip address 172.16.1.1 255.255.255.0

no snmp trap link-status

interface FastEthernet0/0.2

description ** Voice VLAN **

encapsulation dot1Q 110

ip address 10.0.1.1 255.255.255.0

ip policy route-map gre

no snmp trap link-status

interface FastEthernet0/1

bandwidth 512

ip address 192.168.10.2 255.255.255.0

load-interval 30

speed auto

full-duplex

crypto map Branch_VPN

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

ip access-list extended Brnach_IPSEC

deny ip host 172.16.1.202 host 172.20.1.202

permit ip 172.16.1.0 0.0.0.255 172.20.1.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.2.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.3.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.4.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.10.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.11.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.17.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.14.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.15.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 172.20.18.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 192.168.100.0 0.0.0.255

HEAD OFFICE CONFIG:-

hostname Head_Office

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key Branch@HO123 address 192.168.10.2

crypto map HO_VPN 10 ipsec-isakmp

set peer 192.168.10.2

set transform-set HO_VPN

match address HO_IPSEC

interface FastEthernet0/0

description ** Internal **

ip address 192.168.100.100 255.255.255.0

ip nat inside

!

interface FastEthernet0/3/0

switchport access vlan 2

!

interface Vlan2

description ** Data VLan To Brnach 1 **

ip address 192.168.10.1 255.255.255.0

crypto map HO_VPN

ip route 10.20.1.0 255.255.255.0 192.168.100.1

ip route 10.20.2.0 255.255.255.0 192.168.100.1

ip route 10.20.3.0 255.255.255.0 192.168.100.1

ip route 10.20.4.0 255.255.255.0 192.168.100.1

ip route 172.16.1.0 255.255.255.0 192.168.10.2

ip route 172.20.1.0 255.255.255.0 192.168.100.1

ip route 172.20.2.0 255.255.255.0 192.168.100.1

ip route 172.20.3.0 255.255.255.0 192.168.100.1

ip route 172.20.4.0 255.255.255.0 192.168.100.1

ip route 172.20.10.0 255.255.255.0 192.168.100.1

ip route 172.20.11.0 255.255.255.0 192.168.100.1

ip access-list extended HO_GRE

permit ip host 172.20.1.202 host 172.16.1.202

permit ip 172.20.11.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.20.1.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.20.2.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.20.3.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.20.4.0 0.0.0.255 10.0.1.0 0.0.0.255

ip access-list extended HO_IPSEC

deny ip host 172.20.1.202 host 172.16.1.202

permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.2.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.3.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.4.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.10.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.11.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.17.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.15.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.14.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 172.20.18.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip 192.168.100.0 0.0.0.255 172.16.1.0 0.0.0.255

HEAD OFFICE ASA Config

ASA Version 7.2(1)

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2

ospf cost 10

interface GigabitEthernet0/1

nameif Inside

ip address 172.20.14.1 255.255.255.0

ospf cost 10

object-group network LAN_Server

description LAN Servers connected to Core Switches

network-object 172.20.10.0 255.255.255.0

object-group network Access_Users

description Access Users of Access Switches

network-object 172.20.1.0 255.255.255.0

network-object 172.20.2.0 255.255.255.0

network-object 172.20.3.0 255.255.255.0

network-object 172.20.4.0 255.255.255.0

object-group network Branch_Users

description Access Users of Access Switches

network-object 172.16.1.0 255.255.255.0

object-group network Exhange_Server

network-object host 172.20.10.100

object-group service Exchange_Ports tcp

port-object eq pop3

port-object eq smtp

port-object eq https

port-object eq www

access-list Outside_access_in extended permit tcp any host 192.168.100.20 object-group Exchange_Ports

access-list Outside_access_in extended permit tcp host 202.125.141.209 host 192.168.100.31 eq https

access-list Outside_access_in extended permit icmp host 192.168.100.100 host 172.20.10.8 echo-reply

access-list Outside_access_in remark For 1Link

access-list Outside_access_in extended permit icmp host 192.168.100.100 host 192.168.100.50

access-list Outside_access_in extended permit ip object-group Branch_Users object-group Access_Users

access-list Inside_access_in extended permit ip object-group Access_Users object-group Branch_Users

access-list Inside_access_in extended permit tcp object-group Exhange_Server object-group Exchange_Ports any

access-list Inside_access_in extended permit ip 172.20.10.0 255.255.255.0 any

access-list Inside_access_in extended permit ip 172.20.15.0 255.255.255.0 any

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 192.168.100.100 1

router ospf 100

network 172.20.14.0 255.255.255.0 area 0

log-adj-changes

default-information originate always