10-05-2007 07:26 AM - edited 03-03-2019 07:02 PM
hi to all,
we have an exchange server 2003 at head office. this server is also configured as domain controller and dns server. Exchange server is configured with Global Address List option which allow the clients(Outlook 2003) to download all address in the address book automatically.
Remote site connects to head office using ipsec vpn to head office perimeter router, then it passes through ASA and finally to exchange server(cum DC+DNS).
I have checked by joining the remote site PCs to domain and it works fine which means dns is working also.
But when it select Exchange Server option in Outlook 2003, it is able resolve FQDN of exchange server but following the FINISH button, outlook hangs for a long time (15-20min) and finally it says that it is unable to connect to Exchange server.
HELP NEEDED!!!
10-06-2007 12:43 AM
Hi,
Have you established if its a network (including firewall and DNS) or application problem?
Question on DNS, is it both Local and Internet DNS? FYI, the lookup might be pointing to the Public FQDN which is mapped to Public IP Address, but since your connectivity seems to be Private (considering you have S2S VPN) after the lookup, the application might be trying to connect to local IP Address which is Private. Check your DNS setup to make sure Public Query goes to Public DNS zone while Private query goes to Private DNS zone.
Beside the DNS mentione above, did you gather any forensic evidence from the firewall of any drop packet/connection that may point you to the problem (i.e. needed ports are block in the firewall).
Regards,
Dandy
10-07-2007 09:15 PM
BRANCH OFFICE CONFIG:-
ip name-server 192.168.100.20
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key Branch@HO123 address 192.168.10.1
crypto ipsec transform-set Branch_VPN esp-3des esp-md5-hmac
crypto map Branch_VPN 10 ipsec-isakmp
set peer 192.168.10.1
set transform-set fdib_VPN
match address Branch_IPSEC
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.1
description ** Data VLAN **
encapsulation dot1Q 100
ip address 172.16.1.1 255.255.255.0
no snmp trap link-status
interface FastEthernet0/0.2
description ** Voice VLAN **
encapsulation dot1Q 110
ip address 10.0.1.1 255.255.255.0
ip policy route-map gre
no snmp trap link-status
interface FastEthernet0/1
bandwidth 512
ip address 192.168.10.2 255.255.255.0
load-interval 30
speed auto
full-duplex
crypto map Branch_VPN
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip access-list extended Brnach_IPSEC
deny ip host 172.16.1.202 host 172.20.1.202
permit ip 172.16.1.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.2.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.3.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.4.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.10.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.11.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.17.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.14.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.15.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 172.20.18.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 192.168.100.0 0.0.0.255
HEAD OFFICE CONFIG:-
hostname Head_Office
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key Branch@HO123 address 192.168.10.2
crypto map HO_VPN 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set HO_VPN
match address HO_IPSEC
interface FastEthernet0/0
description ** Internal **
ip address 192.168.100.100 255.255.255.0
ip nat inside
!
interface FastEthernet0/3/0
switchport access vlan 2
!
interface Vlan2
description ** Data VLan To Brnach 1 **
ip address 192.168.10.1 255.255.255.0
crypto map HO_VPN
ip route 10.20.1.0 255.255.255.0 192.168.100.1
ip route 10.20.2.0 255.255.255.0 192.168.100.1
ip route 10.20.3.0 255.255.255.0 192.168.100.1
ip route 10.20.4.0 255.255.255.0 192.168.100.1
ip route 172.16.1.0 255.255.255.0 192.168.10.2
ip route 172.20.1.0 255.255.255.0 192.168.100.1
ip route 172.20.2.0 255.255.255.0 192.168.100.1
ip route 172.20.3.0 255.255.255.0 192.168.100.1
ip route 172.20.4.0 255.255.255.0 192.168.100.1
ip route 172.20.10.0 255.255.255.0 192.168.100.1
ip route 172.20.11.0 255.255.255.0 192.168.100.1
ip access-list extended HO_GRE
permit ip host 172.20.1.202 host 172.16.1.202
permit ip 172.20.11.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.20.1.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.20.2.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.20.3.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.20.4.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended HO_IPSEC
deny ip host 172.20.1.202 host 172.16.1.202
permit ip 172.20.1.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.3.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.4.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.10.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.11.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.17.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.15.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.14.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.20.18.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 172.16.1.0 0.0.0.255
HEAD OFFICE ASA Config
ASA Version 7.2(1)
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2
ospf cost 10
interface GigabitEthernet0/1
nameif Inside
ip address 172.20.14.1 255.255.255.0
ospf cost 10
object-group network LAN_Server
description LAN Servers connected to Core Switches
network-object 172.20.10.0 255.255.255.0
object-group network Access_Users
description Access Users of Access Switches
network-object 172.20.1.0 255.255.255.0
network-object 172.20.2.0 255.255.255.0
network-object 172.20.3.0 255.255.255.0
network-object 172.20.4.0 255.255.255.0
object-group network Branch_Users
description Access Users of Access Switches
network-object 172.16.1.0 255.255.255.0
object-group network Exhange_Server
network-object host 172.20.10.100
object-group service Exchange_Ports tcp
port-object eq pop3
port-object eq smtp
port-object eq https
port-object eq www
access-list Outside_access_in extended permit tcp any host 192.168.100.20 object-group Exchange_Ports
access-list Outside_access_in extended permit tcp host 202.125.141.209 host 192.168.100.31 eq https
access-list Outside_access_in extended permit icmp host 192.168.100.100 host 172.20.10.8 echo-reply
access-list Outside_access_in remark For 1Link
access-list Outside_access_in extended permit icmp host 192.168.100.100 host 192.168.100.50
access-list Outside_access_in extended permit ip object-group Branch_Users object-group Access_Users
access-list Inside_access_in extended permit ip object-group Access_Users object-group Branch_Users
access-list Inside_access_in extended permit tcp object-group Exhange_Server object-group Exchange_Ports any
access-list Inside_access_in extended permit ip 172.20.10.0 255.255.255.0 any
access-list Inside_access_in extended permit ip 172.20.15.0 255.255.255.0 any
static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 192.168.100.100 1
router ospf 100
network 172.20.14.0 255.255.255.0 area 0
log-adj-changes
default-information originate always
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: