ASA 5510 Port 443 Forwarding to OWA

Unanswered Question
Jan 7th, 2010

I have an Outlook Web Access front end server setup in our internal network.  I can connect to it successfully from all internal addresses including our DMZ.

I need to publish OWA to the Internet and I have an external IP address set specifically for this purpose.  I have setup the Access Rules and NAT rules identical to what is already setup for the external IP addresses of our web server, but I can't this new address to work.   Here's the commands I have set:

access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq www
access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq https

static (inside,outside) tcp 66.xxx.xxx.235 www 10.xxx.xxx.35 www netmask 255.255.255.255

static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255

From what I've read these are the only commands I need to forward those ports from our external IP address to one of our internal addresses.

Are these commands correct?

Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe B Danford Thu, 01/07/2010 - 12:28

Usually that is enough. Here are a few things to check

1. Is the ACL getting hits on the new entries you created?

show access-list outside_acl | i 66.xxx.xxx.235

2. Does the internal server have a good route to internet address? netstat -nr

3. If there are multiple nics on the server be sure it is using the correct one to reply on.

4. Try usung the packet tracer command to test the policy to make sure nothing else could be causin a problem


packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 80  detailed
packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 80  detailed

This will run the flow against the FW policy and will tell you if the flow can be created or not and why.
Also, how are you testing to the nat'd IP? From the internet or internally. When you try to make the connection what happens? Browser error?

vpi_is Thu, 01/07/2010 - 12:50

1.  Yes, I trying to connect to the external address from outside our firewall and I'm getting hits.

2.  Not sure what you are looking for here.  The netstat -nr shows the routes out to the Internet yes.   But, can I ping that external address from the internal server, no.

3.  One NIC.

The browser gets a "Connection has timed out" error.

4.  That looks good:

Result of the command: "packet-tracer input outside tcp 4.2.2.1 1024 66.xxx.xxx.235 443  detailed"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255

nat-control

  match tcp inside host 10.xxx.xxx.35 eq 443 outside any

    static translation to 66.xxx.xxx.235/443

    translate_hits = 1, untranslate_hits = 6

Additional Information:

NAT divert to egress interface inside

Untranslate 66.xxx.xxx.235/443 to 10.xxx.xxx.35/443 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_acl in interface outside

access-list outside_acl extended permit tcp any host 66.xxx.xxx.235 eq https

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd7f31c58, priority=12, domain=permit, deny=false

    hits=3, user_data=0xd7f34328, cs_id=0x0, flags=0x0, protocol=6

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=66.xxx.xxx.235, mask=255.255.255.255, port=443, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd56a0f70, priority=0, domain=permit-ip-option, deny=true

    hits=184693197, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd5fd7ad8, priority=12, domain=ipsec-tunnel-flow, deny=true

    hits=26378541, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255

nat-control

  match tcp inside host 10.xxx.xxx.35 eq 443 outside any

    static translation to 66.xxx.xxx.235/443

    translate_hits = 1, untranslate_hits = 6

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd76b22b0, priority=5, domain=nat-reverse, deny=false

    hits=5, user_data=0xd708ab78, cs_id=0x0, flags=0x0, protocol=6

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=10.xxx.xxx.35, mask=255.255.255.255, port=443, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 66.xxx.xxx.235 https 10.xxx.xxx.35 https netmask 255.255.255.255

nat-control

  match tcp inside host 10.xxx.xxx.35 eq 443 outside any

    static translation to 66.xxx.xxx.235/443

    translate_hits = 1, untranslate_hits = 6

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd76c2558, priority=5, domain=host, deny=false

    hits=269, user_data=0xd708ab78, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=10.xxx.xxx.35, mask=255.255.255.255, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd574da28, priority=0, domain=permit-ip-option, deny=true

    hits=128806934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 272290424, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.95.1.1 using egress ifc inside

adjacency Active

next-hop mac address 001b.0c9f.c5ff hits 254045

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Also, I'm testing both internally and from the Internet.  Internally works fine, externally, no.

Joe B Danford Thu, 01/07/2010 - 13:05

When I try to go to https://66.xxx.xxx.235it works. I get a "Under Construction" message. http just times out. So it seems it works with https and not http. I would check the server. I changed the public IP to protect from being exposed.

vpi_is Thu, 01/07/2010 - 13:09

Strange.  Ok, thanks for you help.   I guess maybe it's not the ASA causing my problems.

Actions

This Discussion

Related Content