ASA 5510 Port 443 Forwarding to OWA

Unanswered Question
Jan 7th, 2010
User Badges:

I have an Outlook Web Access front end server setup in our internal network.  I can connect to it successfully from all internal addresses including our DMZ.


I need to publish OWA to the Internet and I have an external IP address set specifically for this purpose.  I have setup the Access Rules and NAT rules identical to what is already setup for the external IP addresses of our web server, but I can't this new address to work.   Here's the commands I have set:



access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq www
access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq https


static (inside,outside) tcp 66.xxx.xxx.235 www 10.xxx.xxx.35 www netmask 255.255.255.255

static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255


From what I've read these are the only commands I need to forward those ports from our external IP address to one of our internal addresses.


Are these commands correct?


Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe B Danford Thu, 01/07/2010 - 12:28
User Badges:
  • Cisco Employee,

Usually that is enough. Here are a few things to check


1. Is the ACL getting hits on the new entries you created?


show access-list outside_acl | i 66.xxx.xxx.235


2. Does the internal server have a good route to internet address? netstat -nr


3. If there are multiple nics on the server be sure it is using the correct one to reply on.


4. Try usung the packet tracer command to test the policy to make sure nothing else could be causin a problem


packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 80  detailed
packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 80  detailed

This will run the flow against the FW policy and will tell you if the flow can be created or not and why.
Also, how are you testing to the nat'd IP? From the internet or internally. When you try to make the connection what happens? Browser error?

vpi_is Thu, 01/07/2010 - 12:50
User Badges:

1.  Yes, I trying to connect to the external address from outside our firewall and I'm getting hits.



2.  Not sure what you are looking for here.  The netstat -nr shows the routes out to the Internet yes.   But, can I ping that external address from the internal server, no.



3.  One NIC.



The browser gets a "Connection has timed out" error.



4.  That looks good:



Result of the command: "packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 443  detailed"



Phase: 1


Type: FLOW-LOOKUP


Subtype:


Result: ALLOW


Config:


Additional Information:


Found no matching flow, creating a new flow



Phase: 2


Type: UN-NAT


Subtype: static


Result: ALLOW


Config:


static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255


nat-control


  match tcp inside host 10.xxx.xxx.35 eq 443 outside any


    static translation to 66.xxx.xxx.235/443


    translate_hits = 1, untranslate_hits = 6


Additional Information:


NAT divert to egress interface inside


Untranslate 66.xxx.xxx.235/443 to 10.xxx.xxx.35/443 using netmask 255.255.255.255



Phase: 3


Type: ACCESS-LIST


Subtype: log


Result: ALLOW


Config:


access-group outside_acl in interface outside


access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq https


Additional Information:


Forward Flow based lookup yields rule:


in  id=0xd7f31c58, priority=12, domain=permit, deny=false


    hits=3, user_data=0xd7f34328, cs_id=0x0, flags=0x0, protocol=6


    src ip=0.0.0.0, mask=0.0.0.0, port=0


    dst ip=66.xxx.xxx.235, mask=255.255.255.255, port=443, dscp=0x0



Phase: 4


Type: IP-OPTIONS


Subtype:


Result: ALLOW


Config:


Additional Information:


Forward Flow based lookup yields rule:


in  id=0xd56a0f70, priority=0, domain=permit-ip-option, deny=true


    hits=184693197, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0


    src ip=0.0.0.0, mask=0.0.0.0, port=0


    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0



Phase: 5


Type: VPN


Subtype: ipsec-tunnel-flow


Result: ALLOW


Config:


Additional Information:


Forward Flow based lookup yields rule:


in  id=0xd5fd7ad8, priority=12, domain=ipsec-tunnel-flow, deny=true


    hits=26378541, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0


    src ip=0.0.0.0, mask=0.0.0.0, port=0


    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0



Phase: 6


Type: NAT


Subtype: rpf-check


Result: ALLOW


Config:


static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255


nat-control


  match tcp inside host 10.xxx.xxx.35 eq 443 outside any


    static translation to 66.xxx.xxx.235/443


    translate_hits = 1, untranslate_hits = 6


Additional Information:


Forward Flow based lookup yields rule:


out id=0xd76b22b0, priority=5, domain=nat-reverse, deny=false


    hits=5, user_data=0xd708ab78, cs_id=0x0, flags=0x0, protocol=6


    src ip=0.0.0.0, mask=0.0.0.0, port=0


    dst ip=10.xxx.xxx.35, mask=255.255.255.255, port=443, dscp=0x0



Phase: 7


Type: NAT


Subtype: host-limits


Result: ALLOW


Config:


static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255


nat-control


  match tcp inside host 10.xxx.xxx.35 eq 443 outside any


    static translation to 66.xxx.xxx.235/443


    translate_hits = 1, untranslate_hits = 6


Additional Information:


Reverse Flow based lookup yields rule:


in  id=0xd76c2558, priority=5, domain=host, deny=false


    hits=269, user_data=0xd708ab78, cs_id=0x0, reverse, flags=0x0, protocol=0


    src ip=10.xxx.xxx.35, mask=255.255.255.255, port=0


    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0



Phase: 8


Type: IP-OPTIONS


Subtype:


Result: ALLOW


Config:


Additional Information:


Reverse Flow based lookup yields rule:


in  id=0xd574da28, priority=0, domain=permit-ip-option, deny=true


    hits=128806934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0


    src ip=0.0.0.0, mask=0.0.0.0, port=0


    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0



Phase: 9


Type: FLOW-CREATION


Subtype:


Result: ALLOW


Config:


Additional Information:


New flow created with id 272290424, packet dispatched to next module


Module information for forward flow ...


snp_fp_inspect_ip_options


snp_fp_tcp_normalizer


snp_fp_translate


snp_fp_adjacency


snp_fp_fragment


snp_fp_tracer_drop


snp_ifc_stat



Module information for reverse flow ...


snp_fp_inspect_ip_options


snp_fp_translate


snp_fp_tcp_normalizer


snp_fp_adjacency


snp_fp_fragment


snp_fp_tracer_drop


snp_ifc_stat



Phase: 10


Type: ROUTE-LOOKUP


Subtype: output and adjacency


Result: ALLOW


Config:


Additional Information:


found next-hop 10.95.1.1 using egress ifc inside


adjacency Active


next-hop mac address 001b.0c9f.c5ff hits 254045



Result:


input-interface: outside


input-status: up


input-line-status: up


output-interface: inside


output-status: up


output-line-status: up


Action: allow



Also, I'm testing both internally and from the Internet.  Internally works fine, externally, no.

Joe B Danford Thu, 01/07/2010 - 13:05
User Badges:
  • Cisco Employee,

When I try to go to https://66.xxx.xxx.235it works. I get a "Under Construction" message. http just times out. So it seems it works with https and not http. I would check the server. I changed the public IP to protect from being exposed.

vpi_is Thu, 01/07/2010 - 13:09
User Badges:

Strange.  Ok, thanks for you help.   I guess maybe it's not the ASA causing my problems.

Actions

This Discussion

Related Content