Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
0
Helpful
7
Replies

PIX OWA Help

jcnewman83
Level 1
Level 1

‎12-04-2009 09:01 AM - edited ‎03-11-2019 09:45 AM

I am a newby here so please go easy on me.

I am trying to set up my PIX to allow OWA access so basically all I need is port 443 open to a particular server.

I have included the PIX config below and was wondering if someone could help point me in the right direction? I though that a line that read something like: access-list inside permit ip host SERVER13-13Exchange any

would have done the trick but obviously I am mistaken, can anyone help? I have just taken over this pix so if you guys spot anything blindingly obvious wrong with my config a heads up would be appreciated!

thanks in advance for your help

Config below:

Result of firewall command: "sh run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xx.xxx.xxx.xxx Mail-Outside
name xx.x.x.x OWA
name xx.xxx.xx.xx CNS-Management1
name xxx.xxx.xxx.xx CNS-Management2
name xx.xxx.xxx.xx Mat_Home
name xxx.xx.xx.xxx Spider-net1
name xxx.xx.xx.xxx Spider-net2
name xxx.xxx.xxx.xx Enterprise
name 192.168.0.108 SamCorbynPC7
name 192.168.0.103 JoPC4FTP
name 192.168.0.111 PC5SamBaldwin
name 10.0.0.3 TRIGOLDTESTPC
name 192.168.0.102 JohnyPC
name 192.168.0.150 KeithBaldwinLaptop
name 192.168.0.151 KeithBaldwinWirelessCard
name 192.168.0.122 TishPC
name 192.168.0.120 PC6HelenPatersonPC
name 192.168.0.7 SimonHinsleyPC31
name 192.168.0.117 MartinMiles
name 10.0.0.4 TrainingRouter
name 192.168.0.133 PC26-Nicki-FTP-Access
name 192.168.0.3 Server02-File-Virus
name 192.168.0.2 Server01-Mail-Inside
name 192.168.0.4 Server03-Safeword
name 192.168.0.115 KirstyHartleyPC32
name 10.0.0.1 TelephoneSupport
name 192.168.0.35 TelephonePABX
name 192.168.0.154 LAPTOP31
name xxx.xx.232.0 BlackspiderNew2
name xx.xxx.32.0 BlackspiderNew-4
name xxx.xxx.216.0 BlackspiderNew-3
name xxx.50.xx.0 BlackspiderNew-1
name 192.168.0.136 DEBBIELAPTOP
name 192.168.0.168 Laptop34Kateb
name 192.168.0.8 Server06-Exchange
name 192.168.0.34 ProxyServer
name 192.168.0.33 ProxyServer2
name 192.168.0.19 KirstyHartleyPC32-2
name xx.109.xxx.166 Webmail
name 192.168.0.13 SERVER13-13Exchange
name 192.168.0.12 SERVER13-12Exchange
name 192.168.0.18 PC38-Kay-Oblj
object-group service ExchangeDMZTCP tcp
  description TCP ports used by Exchange Front to Back End
  port-object eq ldap
  port-object eq 691
  port-object eq www
  port-object eq 88
  port-object eq 3268
  port-object eq domain
  port-object eq 135
  port-object eq 5001
object-group service ExchangeDMZUDP udp
  description UDP ports used by Exchange Front to Back End
  port-object eq 389
  port-object eq 88
  port-object eq domain
  port-object eq 691
  port-object eq 3268
  port-object eq 2833
object-group service AddMail2OWA tcp
  port-object eq 137
  port-object eq 135
  port-object eq 445
object-group service AddOWAtoMail udp
  port-object eq netbios-ns
object-group service AddOWAtoMailTCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  port-object eq https
object-group service TerminalService tcp
  description Terminal Services for Access Sorce Server
  port-object eq 3389
  port-object eq ssh
object-group service CiscoVPN udp
  description Cisco Outbound UDP Ports 10000 4500 500
  port-object range isakmp isakmp
  port-object range 10000 10000
  port-object range 4500 4500
object-group network FTPAccess
  network-object xxPC4FTP 255.255.255.255
  network-object xxxxxxxPC7 255.255.255.255
  network-object xxxxxxPC31 255.255.255.255
  network-object PC5xxxxxxx 255.255.255.255
  network-object xxxxxxPC 255.255.255.255
  network-object PC6xxxxxx 255.255.255.255
  network-object PC26 255.255.255.255
  network-object LAPTOP31 255.255.255.255
object-group network ITExtendedAccess
  description Extended Access For IT PCs
  network-object xxxxxxxxPC31 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxxPC32 255.255.255.255
  network-object PC38xxxxxx 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object xxxxxxPC32-2 255.255.255.255
object-group service PhoneSystem tcp
  description Port 5000 For our Phones
  port-object range 5000 5000
object-group service Remotebackup tcp
  port-object range 4401 4408
object-group service TishWEBAccess tcp
  description Access For Tish For Web Admin
  port-object range 2222 2222
  port-object range 50000 60000
object-group service Https tcp
  description SERVER04 Access for All
  port-object eq https
  port-object eq 57483
object-group service RemoteBackup udp
  port-object range 4401 4408
object-group network ExchangeServers
  network-object Server01-Mail-Inside 255.255.255.255
  network-object Server06-Exchange 255.255.255.255
  network-object SERVER13-12Exchange 255.255.255.255
  network-object SERVER13-13Exchange 255.255.255.255
object-group network OWAServers
  description Group to Allow OWA Services
  network-object SERVER13-13Exchange 255.255.255.255
access-list outside remark Allow SMTP to Mailserver (Live)
access-list outside permit tcp host Spider-net1 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (Live)
access-list outside permit tcp host Spider-net2 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew-1 255.255.248.0 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew2 255.255.248.0 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew-3 255.255.248.0 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew-4 255.255.224.0 host Mail-Outside eq smtp
access-list outside deny ip host Enterprise host Mail-Outside
access-list outside remark Simon Web Publishing test
access-list outside permit tcp any eq www host Webmail eq www
access-list outside remark Allow OWA Access
access-list outside permit tcp any host xx.109.xxx.164 eq https
access-list outside remark Alow Terminal Services Access
access-list outside permit tcp any host xx.109.xxx.165
access-list outside permit tcp any eq https host xx.109.xxx.170 eq https
access-list inside remark Allow DNS
access-list inside permit udp host Server03-Safeword any eq domain
access-list inside remark Additonal ports required for OWA Access
access-list inside permit tcp host Server03-Safeword any object-group AddMail2OWA
access-list inside remark Blackberry SRP Communication
access-list inside permit tcp host Server03-Safeword any eq 3101
access-list inside permit udp host Server01-Mail-Inside any eq domain
access-list inside remark Allow FTP for Anti-Virus
access-list inside permit tcp host Server02-File-Virus any eq ftp
access-list inside remark Allow HTTP
access-list inside permit tcp any any eq www
access-list inside remark Allow HTTPS
access-list inside permit tcp any any eq https
access-list inside remark changed for Mortgage Stream
access-list inside permit tcp object-group ITExtendedAccess any object-group TishWEBAccess
access-list inside remark Mail to Spidernet(Existing)
access-list inside permit tcp host Server01-Mail-Inside host Spider-net1 eq smtp
access-list inside remark Mail to Spidernet (Existing)
access-list inside permit tcp host Server01-Mail-Inside host Spider-net2 eq smtp
access-list inside remark BlackspiderNew1
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew-1 255.255.248.0 eq smtp
access-list inside remark BlackspiderNew2
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew2 255.255.248.0 eq smtp
access-list inside remark BlackspiderNew3
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew-3 255.255.248.0 eq smtp
access-list inside remark BlackspiderNew4
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew-4 255.255.224.0 eq smtp
access-list inside remark Ftp Access For All Recruitment
access-list inside permit tcp any any eq ftp
access-list inside remark Ftp Access For All Recruitment
access-list inside permit tcp object-group FTPAccess any eq ftp
access-list inside remark Terminal Services Access For Simon Hinsley PC For sorce Test Server
access-list inside permit tcp object-group ITExtendedAccess any object-group TerminalService
access-list inside permit udp object-group ITExtendedAccess object-group CiscoVPN any object-group CiscoVPN
access-list inside remark Keith Laptop Pop 3 Access
access-list inside permit tcp host KeithWirelessCard any eq pop3
access-list inside remark Keith Wireless Card Access
access-list inside permit tcp host KeithWirelessCard any eq smtp
access-list inside permit icmp object-group ITExtendedAccess any
access-list inside remark Allow DNS For SERVER02
access-list inside permit udp host Server02-File-Virus any eq domain
access-list inside permit ip host Server06-Exchange any
access-list inside permit ip host SERVER13-12Exchange any
access-list inside permit ip host SERVER13-13Exchange any
access-list Admin_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list Admin_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 xx.16.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host Server02-File-Virus xxx.16.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host Server01-Mail-Inside xxx.16.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 xxx.16.0.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 172.16.0.248 255.255.255.248
access-list dmz_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 xxx.16.0.0 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 xxx.16.0.248 255.255.255.248
access-list xxxxxx_splitTunnelAcl permit ip host Server02-File-Virus any
access-list xxxxxx_splitTunnelAcl permit ip host Server01-Mail-Inside any
access-list xxxxxx_splitTunnelAcl permit ip host Server03-Safeword any
access-list dmz_access_in permit tcp host OWA host Server01-Mail-Inside object-group ExchangeDMZTCP
access-list dmz_access_in permit tcp host OWA host Server03-Safeword object-group ExchangeDMZTCP
access-list dmz_access_in remark Unmentioned ports
access-list dmz_access_in permit icmp host OWA host Server03-Safeword
access-list dmz_access_in remark Unmentioned ports
access-list dmz_access_in permit udp host OWA host Server03-Safeword object-group AddOWAtoMail
access-list dmz_access_in permit udp host OWA host Server01-Mail-Inside object-group ExchangeDMZUDP
access-list dmz_access_in permit udp host OWA host Server03-Safeword object-group ExchangeDMZUDP
access-list dmz_access_in permit udp host OWA host Server06-Exchange object-group ExchangeDMZUDP
access-list dmz_access_in remark Allow OWA server to get windows updates
access-list dmz_access_in permit tcp host OWA any eq www
access-list dmz_access_in remark
access-list dmz_access_in permit tcp host OWA any eq https
access-list dmz_access_in permit udp host OWA any eq domain
access-list dmz_access_in remark Bug Tracker https Access for the office
access-list dmz_access_in permit tcp host OWA any object-group AddOWAtoMailTCP
access-list dmz_access_in deny tcp host TRIGOLDTESTPC any
access-list dmz_access_in deny udp host TRIGOLDTESTPC any
access-list dmz_access_in deny icmp host TRIGOLDTESTPC any
access-list dmz_access_in deny ip host TRIGOLDTESTPC any
pager lines 24
logging on
logging trap debugging
logging host inside Server03-Safeword
no logging message 710005
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.109.xxx.162 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip address dmz TelephoneSupport 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool Admin-Pool xxx.16.0.250-xxx.16.0.254
ip local pool UsersPool xxx.16.0.1-xxx.16.0.249
pdm location Server03-Safeword 255.255.255.255 inside
pdm location PC31 255.255.255.255 inside
pdm location OWA 255.255.255.255 inside
pdm location Server01-Mail-Inside 255.255.255.255 inside
pdm location Server02-File-Virus 255.255.255.255 inside
pdm location OWA 255.255.255.255 dmz
pdm location 172.16.0.0 255.255.255.0 outside
pdm location CNS-Management1 255.255.255.240 outside
pdm location CNS-Management2 255.255.255.240 outside
pdm location xx.109.xxx.16 255.255.255.240 outside
pdm location xxx.16.0.1 255.255.255.255 outside
pdm location 192.168.0.132 255.255.255.255 inside
pdm location PC26xxxxxxxx 255.255.255.255 inside
pdm location Mat_Home 255.255.255.255 outside
pdm location Spider-net1 255.255.255.255 outside
pdm location Spider-net2 255.255.255.255 outside
pdm location Enterprise 255.255.255.255 outside
pdm location xxx.205.117.82 255.255.255.255 outside
pdm location xxx.158.73.44 255.255.255.255 outside
pdm location xxxxxxPC7 255.255.255.255 inside
pdm location xxPC4FTP 255.255.255.255 inside
pdm location PC5xxxxxxx 255.255.255.255 inside
pdm location TRIGOLDTESTPC 255.255.255.255 dmz
pdm location xxxxPC 255.255.255.255 inside
pdm location Keithxxxxxx 255.255.255.255 inside
pdm location KeithxxxxWirelessCard 255.255.255.255 inside
pdm location xxxxPC 255.255.255.255 inside
pdm location PC6xxxxPC 255.255.255.255 inside
pdm location xxxxxx 255.255.255.255 inside
pdm location TrainingRouter 255.255.255.255 dmz
pdm location xxx.16.0.248 255.255.255.248 outside
pdm location xxxxxxxPC32 255.255.255.255 inside
pdm location TelephonePABX 255.255.255.255 inside
pdm location TelephoneSupport 255.255.255.255 outside
pdm location LAPTOP31 255.255.255.255 inside
pdm location Server06-Exchange 255.255.255.255 inside
pdm location BlackspiderNew-4 255.255.224.0 outside
pdm location BlackspiderNew-3 255.255.248.0 outside
pdm location BlackspiderNew-1 255.255.248.0 outside
pdm location BlackspiderNew2 255.255.248.0 outside
pdm location xxxxxxxLAPTOP 255.255.255.255 inside
pdm location Laptop34xxxxx 255.255.255.255 inside
pdm location ProxyServer 255.255.255.255 inside
pdm location ProxyServer2 255.255.255.255 inside
pdm location xxxxxxxPC32-2 255.255.255.255 inside
pdm location Webmail 255.255.255.255 outside
pdm location SERVER13-13Exchange 255.255.255.255 inside
pdm location SERVER13-12Exchange 255.255.255.255 inside
pdm location PC38-Kay-Oblj 255.255.255.255 inside
pdm location 192.168.0.80 255.255.255.255 inside
pdm group FTPAccess inside
pdm group ITExtendedAccess inside
pdm group ExchangeServers inside
pdm group OWAServers inside
pdm logging warnings 200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
static (inside,outside) Mail-Outside Server01-Mail-Inside netmask 255.255.255.255 0 0
static (dmz,outside) xxx.109.xxx.164 OWA netmask 255.255.255.255 0 0
static (inside,outside) Webmail Server06-Exchange netmask 255.255.255.255 0 0
static (inside,dmz) Server01-Mail-Inside Server01-Mail-Inside netmask 255.255.255.255 0 0
static (inside,dmz) Server03-Safeword Server03-Safeword netmask 255.255.255.255 0 0
static (inside,dmz) Server06-Exchange Server06-Exchange netmask 255.255.255.255 0 0
static (dmz,outside) xxx.109.xxx.165 TRIGOLDTESTPC netmask 255.255.255.255 0 0
static (inside,outside) TelephonePABX TelephonePABX netmask 255.255.255.255 0 0
static (inside,outside) xx.109.xxx.170 SERVER13-13Exchange netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.109.xxx.161 1
route inside SERVER13-13Exchange 255.255.255.255 Webmail 1
route inside TelephonePABX 255.255.255.255 xx.109.xxx.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
ntp server Server01-Mail-Inside source inside
http server enable
http CNS-Management1 255.255.255.240 outside
http CNS-Management2 255.255.255.240 outside
http xxxx_Home 255.255.255.255 outside
http Enterprise 255.255.255.255 outside
http Server03-Safeword 255.255.255.255 inside
http Server01-Mail-Inside 255.255.255.255 inside
http Server02-File-Virus 255.255.255.255 inside
http xxxxxxxxxPC31 255.255.255.255 inside
http 192.168.0.80 255.255.255.255 inside
http xxxxxxx 255.255.255.255 inside
tftp-server inside Server03-Safeword /PIX
floodguard enable
sysopt connection permit-ipsec
telnet xxxxxxxxPC31 255.255.255.255 inside
telnet Server03-Safeword 255.255.255.255 inside
telnet 192.168.0.80 255.255.255.255 inside
telnet xxxxPC 255.255.255.255 inside
telnet timeout 5
ssh CNS-Management1 255.255.255.240 outside
ssh CNS-Management2 255.255.255.240 outside
ssh Enterprise 255.255.255.255 outside
ssh Server03-Safeword 255.255.255.255 inside
ssh xxxxxxPC31 255.255.255.255 inside
ssh xxxxxx 255.255.255.255 inside
ssh timeout 10
console timeout 25
terminal width 80
: end

Labels:
0 Helpful
7 Replies 7

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-04-2009 11:09 AM

If you want to allow https access from the outside you need to open the outside ACL.


You have "static (inside,outside) xx.109.xxx.170 SERVER13-13Exchange netmask 255.255.255.255 0 " so what you would need to open is


access-list outside permit tcp any host 109.xxx.170 eq 443.


I believe that will do the trick.


PK

0 Helpful

jcnewman83
Level 1
Level 1
In response to Panos Kampanakis

‎12-07-2009 02:04 AM

OK I have tried the rule you mention above but it has had no effect, I get nothing when I try to access the site.

I have confirmed the line (ccess-list outside permit tcp any host 109.xxx.170 eq 443.) is now in my config.

0 Helpful

jcnewman83
Level 1
Level 1
In response to jcnewman83

‎12-07-2009 04:23 AM

OK strike that, I have managed to get it working, I am however baffled on how I managed it, the machine in question has two network cards, 192.168.0.12 and 192.168.0.13

I was using the .12 address for internal and .13 for the external to get the webmail working I had to make a static route for 192.168.0.12 to xx.xxx.xxx.170 and set an access rule to allow ssl traffic to the .13 address. now I thought that simply changing everything including the static route to the .13 address would also work however it breaks it when I change the static route from .12 to .13 ??

I am a complete newby to the PIXs but what am I missing here?

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to jcnewman83

‎12-07-2009 05:58 AM

I didn't get exactly what you did to make it work. I got up to the dual nics for the server part.

Can you post the config you put it to make it work?

Panos

0 Helpful

jcnewman83
Level 1
Level 1
In response to Panos Kampanakis

‎12-07-2009 06:53 AM

of corse:

Result of firewall command: "sh run"

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pix
domain-name xxxxxxxxxxxx.co.uk
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xx.109.xxx.163 Mail-Outside
name 10.0.0.2 OWA
name 217.158.73.32 CNS-Management1
name 212.158.220.96 CNS-Management2
name 82.133.126.35 Mat_Home
name 217.69.20.190 Spider-net1
name 217.79.216.190 Spider-net2
name 217.205.117.85 Enterprise
name 192.168.0.108 PC7
name 192.168.0.103 PC4FTP
name 192.168.0.111 PC5
name 10.0.0.3 TRIGOLDTESTPC
name 192.168.0.102 xxxxxx
name 192.168.0.150 KBLaptop
name 192.168.0.151 KBWirelessCard
name 192.168.0.122 PC423423
name 192.168.0.120 PC6
name 192.168.0.7 xxxxxxPC31
name 192.168.0.117 user1234
name 10.0.0.4 TrainingRouter
name 192.168.0.133 PC26FTP
name 192.168.0.3 Server02-File-Virus
name 192.168.0.2 Server01-Mail-Inside
name 192.168.0.4 Server03-Safeword
name 192.168.0.115 xxxxxx
name 10.0.0.1 TelephoneSupport
name 192.168.0.35 TelephonePABX
name 192.168.0.154 LAPTOP31
name 208.87.232.0 BlackspiderNew2
name 85.115.32.0 BlackspiderNew-4
name 86.111.216.0 BlackspiderNew-3
name 116.50.56.0 BlackspiderNew-1
name 192.168.0.136 LAPTOP
name 192.168.0.168 Laptop34
name 192.168.0.8 Server06-Exchange
name 192.168.0.34 ProxyServer
name 192.168.0.33 ProxyServer2
name 192.168.0.19 xxxxxx-2
name xx.109.xxx.166 Webmail
name 192.168.0.13 SERVER13-13Exchange
name 192.168.0.12 SERVER13-12Exchange
name 192.168.0.18 PC38-xxxxxx
object-group service ExchangeDMZTCP tcp
  description TCP ports used by Exchange Front to Back End
  port-object eq ldap
  port-object eq 691
  port-object eq www
  port-object eq 88
  port-object eq 3268
  port-object eq domain
  port-object eq 135
  port-object eq 5001
object-group service ExchangeDMZUDP udp
  description UDP ports used by Exchange Front to Back End
  port-object eq 389
  port-object eq 88
  port-object eq domain
  port-object eq 691
  port-object eq 3268
  port-object eq 2833
object-group service AddMail2OWA tcp
  port-object eq 137
  port-object eq 135
  port-object eq 445
object-group service AddOWAtoMail udp
  port-object eq netbios-ns
object-group service AddOWAtoMailTCP tcp
  port-object eq 445
  port-object eq netbios-ssn
  port-object eq https
object-group service TerminalService tcp
  description Terminal Services for Access Sorce Server
  port-object eq 3389
  port-object eq ssh
object-group service CiscoVPN udp
  description Cisco Outbound UDP Ports 10000 4500 500
  port-object range isakmp isakmp
  port-object range 10000 10000
  port-object range 4500 4500
object-group network FTPAccess
  network-object PC4FTP 255.255.255.255
  network-object PC7 255.255.255.255
  network-object xxxxxxPC31 255.255.255.255
  network-object PC5 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object PC6 255.255.255.255
  network-object PC26FTP 255.255.255.255
  network-object LAPTOP31 255.255.255.255
object-group network ITExtendedAccess
  description Extended Access For IT PCs
  network-object xxxxxxPC31 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object PC423423 255.255.255.255
  network-object user1234 255.255.255.255
  network-object xxxxxx 255.255.255.255
  network-object PC38-xxxxxx 255.255.255.255
  network-object LAPTOP 255.255.255.255
  network-object Laptop34 255.255.255.255
  network-object ProxyServer 255.255.255.255
  network-object ProxyServer2 255.255.255.255
  network-object xxxxxx-2 255.255.255.255
object-group service PhoneSystem tcp
  description Port 5000 For our Phones
  port-object range 5000 5000
object-group service Remotebackup tcp
  port-object range 4401 4408
object-group service TishWEBAccess tcp
  description Access For Tish For Web Admin
  port-object range 2222 2222
  port-object range 50000 60000
object-group service Https tcp
  description SERVER04 Access for All
  port-object eq https
  port-object eq 57483
object-group service RemoteBackup udp
  port-object range 4401 4408
object-group network ExchangeServers
  network-object Server01-Mail-Inside 255.255.255.255
  network-object Server06-Exchange 255.255.255.255
  network-object SERVER13-12Exchange 255.255.255.255
  network-object SERVER13-13Exchange 255.255.255.255
object-group network OWAServers
  description Group to Allow OWA Services
  network-object SERVER13-13Exchange 255.255.255.255
access-list outside remark Allow SMTP to Mailserver (Live)
access-list outside permit tcp host Spider-net1 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (Live)
access-list outside permit tcp host Spider-net2 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew-1 255.255.248.0 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew2 255.255.248.0 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew-3 255.255.248.0 host Mail-Outside eq smtp
access-list outside remark Allow SMTP to Mailserver (New)
access-list outside permit tcp BlackspiderNew-4 255.255.224.0 host Mail-Outside eq smtp
access-list outside deny ip host Enterprise host Mail-Outside
access-list outside remark Web Publishing test
access-list outside permit tcp any eq www host Webmail eq www
access-list outside remark Allow OWA Access
access-list outside permit tcp any host xx.109.xxx.164 eq https
access-list outside remark Alow Terminal Services Access
access-list outside permit tcp any host xx.109.xxx.165
access-list outside permit tcp any host xx.109.xxx.170 eq https
access-list inside remark Allow DNS
access-list inside permit udp host Server03-Safeword any eq domain
access-list inside remark Additonal ports required for OWA Access
access-list inside permit tcp host Server03-Safeword any object-group AddMail2OWA
access-list inside remark Blackberry SRP Communication
access-list inside permit tcp host Server03-Safeword any eq 3101
access-list inside permit udp host Server01-Mail-Inside any eq domain
access-list inside remark Allow FTP for Anti-Virus
access-list inside permit tcp host Server02-File-Virus any eq ftp
access-list inside remark Allow HTTP
access-list inside permit tcp any any eq www
access-list inside remark Allow HTTPS
access-list inside permit tcp any any eq https
access-list inside remark changed for Mortgage Stream
access-list inside permit tcp object-group ITExtendedAccess any object-group TishWEBAccess
access-list inside remark Mail to Spidernet(Existing)
access-list inside permit tcp host Server01-Mail-Inside host Spider-net1 eq smtp
access-list inside remark Mail to Spidernet (Existing)
access-list inside permit tcp host Server01-Mail-Inside host Spider-net2 eq smtp
access-list inside remark BlackspiderNew1
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew-1 255.255.248.0 eq smtp
access-list inside remark BlackspiderNew2
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew2 255.255.248.0 eq smtp
access-list inside remark BlackspiderNew3
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew-3 255.255.248.0 eq smtp
access-list inside remark BlackspiderNew4
access-list inside permit tcp host Server01-Mail-Inside BlackspiderNew-4 255.255.224.0 eq smtp
access-list inside remark Ftp Access For All Recruitment
access-list inside permit tcp any any eq ftp
access-list inside remark Ftp Access For All Recruitment
access-list inside permit tcp object-group FTPAccess any eq ftp
access-list inside remark Terminal Services Access For PC For sorce Test Server
access-list inside permit tcp object-group ITExtendedAccess any object-group TerminalService
access-list inside permit udp object-group ITExtendedAccess object-group CiscoVPN any object-group CiscoVPN
access-list inside remark Laptop Pop 3 Access
access-list inside permit tcp host KBWirelessCard any eq pop3
access-list inside remark Wireless Card Access
access-list inside permit tcp host KBWirelessCard any eq smtp
access-list inside permit icmp object-group ITExtendedAccess any
access-list inside remark Allow DNS For SERVER02
access-list inside permit udp host Server02-File-Virus any eq domain
access-list inside permit ip host Server06-Exchange any
access-list inside permit ip host SERVER13-12Exchange any
access-list inside permit ip host SERVER13-13Exchange any
access-list Admin_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
access-list Admin_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host Server02-File-Virus 172.16.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host Server01-Mail-Inside 172.16.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 172.16.0.248 255.255.255.248
access-list inside_outbound_nat0_acl permit ip any 172.16.0.248 255.255.255.248
access-list dmz_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 172.16.0.248 255.255.255.248
access-list HomeofChoice_splitTunnelAcl permit ip host Server02-File-Virus any
access-list HomeofChoice_splitTunnelAcl permit ip host Server01-Mail-Inside any
access-list HomeofChoice_splitTunnelAcl permit ip host Server03-Safeword any
access-list dmz_access_in permit tcp host OWA host Server01-Mail-Inside object-group ExchangeDMZTCP
access-list dmz_access_in permit tcp host OWA host Server03-Safeword object-group ExchangeDMZTCP
access-list dmz_access_in remark Unmentioned ports
access-list dmz_access_in permit icmp host OWA host Server03-Safeword
access-list dmz_access_in remark Unmentioned ports
access-list dmz_access_in permit udp host OWA host Server03-Safeword object-group AddOWAtoMail
access-list dmz_access_in permit udp host OWA host Server01-Mail-Inside object-group ExchangeDMZUDP
access-list dmz_access_in permit udp host OWA host Server03-Safeword object-group ExchangeDMZUDP
access-list dmz_access_in permit udp host OWA host Server06-Exchange object-group ExchangeDMZUDP
access-list dmz_access_in remark Allow OWA server to get windows updates
access-list dmz_access_in permit tcp host OWA any eq www
access-list dmz_access_in remark
access-list dmz_access_in permit tcp host OWA any eq https
access-list dmz_access_in permit udp host OWA any eq domain
access-list dmz_access_in remark Bug Tracker https Access for the office
access-list dmz_access_in permit tcp host OWA any object-group AddOWAtoMailTCP
access-list dmz_access_in deny tcp host TRIGOLDTESTPC any
access-list dmz_access_in deny udp host TRIGOLDTESTPC any
access-list dmz_access_in deny icmp host TRIGOLDTESTPC any
access-list dmz_access_in deny ip host TRIGOLDTESTPC any
pager lines 24
logging on
logging trap debugging
logging host inside Server03-Safeword
no logging message 710005
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.109.xxx.162 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip address dmz TelephoneSupport 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Server03-Safeword 255.255.255.255 inside
pdm location xxxxxxPC31 255.255.255.255 inside
pdm location OWA 255.255.255.255 inside
pdm location Server01-Mail-Inside 255.255.255.255 inside
pdm location Server02-File-Virus 255.255.255.255 inside
pdm location OWA 255.255.255.255 dmz
pdm location 172.16.0.0 255.255.255.0 outside
pdm location CNS-Management1 255.255.255.240 outside
pdm location CNS-Management2 255.255.255.240 outside
pdm location xx.109.xxx.16 255.255.255.240 outside
pdm location 172.16.0.1 255.255.255.255 outside
pdm location 192.168.0.132 255.255.255.255 inside
pdm location PC26FTP 255.255.255.255 inside
pdm location xxx_Home 255.255.255.255 outside
pdm location Spider-net1 255.255.255.255 outside
pdm location Spider-net2 255.255.255.255 outside
pdm location Enterprise 255.255.255.255 outside
pdm location 217.xxx.117.xx 255.255.255.255 outside
pdm location 217.xxx.73.xx 255.255.255.255 outside
pdm location PC7 255.255.255.255 inside
pdm location PC4FTP 255.255.255.255 inside
pdm location PC5 255.255.255.255 inside
pdm location TRIGOLDTESTPC 255.255.255.255 dmz
pdm location xxxxxx 255.255.255.255 inside
pdm location KBLaptop 255.255.255.255 inside
pdm location KBWirelessCard 255.255.255.255 inside
pdm location PC423423 255.255.255.255 inside
pdm location PC6 255.255.255.255 inside
pdm location user1234 255.255.255.255 inside
pdm location TrainingRouter 255.255.255.255 dmz
pdm location 172.16.0.248 255.255.255.248 outside
pdm location xxxxxx 255.255.255.255 inside
pdm location TelephonePABX 255.255.255.255 inside
pdm location TelephoneSupport 255.255.255.255 outside
pdm location LAPTOP31 255.255.255.255 inside
pdm location Server06-Exchange 255.255.255.255 inside
pdm location BlackspiderNew-4 255.255.224.0 outside
pdm location BlackspiderNew-3 255.255.248.0 outside
pdm location BlackspiderNew-1 255.255.248.0 outside
pdm location BlackspiderNew2 255.255.248.0 outside
pdm location LAPTOP 255.255.255.255 inside
pdm location Laptop34 255.255.255.255 inside
pdm location ProxyServer 255.255.255.255 inside
pdm location ProxyServer2 255.255.255.255 inside
pdm location xxxxxx-2 255.255.255.255 inside
pdm location Webmail 255.255.255.255 outside
pdm location SERVER13-13Exchange 255.255.255.255 inside
pdm location SERVER13-12Exchange 255.255.255.255 inside
pdm location PC38-xxxxxx 255.255.255.255 inside
pdm location 192.168.0.80 255.255.255.255 inside
pdm location xx.109.xxx.170 255.255.255.255 outside
pdm group FTPAccess inside
pdm group ITExtendedAccess inside
pdm group ExchangeServers inside
pdm group OWAServers inside
pdm logging warnings 200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
static (inside,outside) Mail-Outside Server01-Mail-Inside netmask 255.255.255.255 0 0
static (dmz,outside) xx.109.xxx.164 OWA netmask 255.255.255.255 0 0
static (inside,outside) Webmail Server06-Exchange netmask 255.255.255.255 0 0
static (inside,dmz) Server01-Mail-Inside Server01-Mail-Inside netmask 255.255.255.255 0 0
static (inside,dmz) Server03-Safeword Server03-Safeword netmask 255.255.255.255 0 0
static (inside,dmz) Server06-Exchange Server06-Exchange netmask 255.255.255.255 0 0
static (dmz,outside) xx.109.xxx.165 TRIGOLDTESTPC netmask 255.255.255.255 0 0
static (inside,outside) TelephonePABX TelephonePABX netmask 255.255.255.255 0 0
static (inside,outside) xx.109.xxx.170 SERVER13-13Exchange netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.109.xxx.161 1
route inside SERVER13-12Exchange 255.255.255.255 xx.109.xxx.170 1
route inside TelephonePABX 255.255.255.255 xx.109.xxx.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
ntp server Server01-Mail-Inside source inside
http server enable
http CNS-Management1 255.255.255.240 outside
http CNS-Management2 255.255.255.240 outside
http xxx_Home 255.255.255.255 outside
http Enterprise 255.255.255.255 outside
http Server03-Safeword 255.255.255.255 inside
http Server01-Mail-Inside 255.255.255.255 inside
http Server02-File-Virus 255.255.255.255 inside
http xxxxxxPC31 255.255.255.255 inside
http 192.168.0.80 255.255.255.255 inside
http xxxxxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community thisismyhomeofchoice
no snmp-server enable traps
tftp-server inside Server03-Safeword /PIX
floodguard enable
sysopt connection permit-ipsec
telnet xxxxxxPC31 255.255.255.255 inside
telnet Server03-Safeword 255.255.255.255 inside
telnet 192.168.0.80 255.255.255.255 inside
telnet xxxxxx 255.255.255.255 inside
telnet timeout 5
ssh CNS-Management1 255.255.255.240 outside
ssh CNS-Management2 255.255.255.240 outside
ssh Enterprise 255.255.255.255 outside
ssh Server03-Safeword 255.255.255.255 inside
ssh xxxxxxPC31 255.255.255.255 inside
ssh xxxxxx 255.255.255.255 inside
ssh timeout 10
console timeout 25
terminal width 80
: end

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to jcnewman83

‎12-07-2009 07:29 AM

name 192.168.0.13 SERVER13-13Exchange
name 192.168.0.12 SERVER13-12Exchange

To allow outside people to reach you server on 443 from outside you need
- outside ACL to allow outside people to reach the xx.109.xxx.170 on that port
- a static translation for the global and local ip of the server
static (inside,outside) xx.109.xxx.170 SERVER13-13Exchange netmask 255.255.255.255 0 0
= A route to the local ip of the server so that the PIX can route to it
route inside SERVER13-13Exchange 255.255.255.255 Webmail 1

So, that is why it works with the above.

Now as for .12 it is used for inside people to use webmail so they will just talk to it locally without the PIX being involved.

I hope it makes sense.

PK

0 Helpful

Kent Heide
Level 1
Level 1
In response to jcnewman83

‎12-07-2009 06:36 AM

There is no point really in having multiple IP's on your server since you're doing the static on the ASA anyway.

The solution that pkampana posted earlier is the right way to do it. Basically to publish a server on the net (on a public ip) what you need is two things;

1. A static nat statement

2. An ACL entry on your outside interface.

So something like..

static (dmz,outside) 93.155.43.232 192.168.1.232 netmask 255.255.255.255

access-list ACL-OUTSIDE extended permit tcp any host 93.155.43.232 eq 443 log

That is all there is to it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card