Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to allow access to OWA through ASA 5510

Hi all,

I have managed to get smtp access (

I have mail routing in through port 25, how can I configure OWA access through https?

We are using a 2013 Exchange server and I wish for users to connect to the server without having to turn on the VPN. Appreciate all the help I can get.



Everyone's tags (2)
Super Bronze

How to allow access to OWA through ASA 5510


Did you have an extra public IP address for this or did you need to use your interface IP address? I guess it was the interface IP address?

The other discussion seemed to use Manual NAT configuration format to achieve the Static PAT (Port Forward) configuration. I would personally use Auto NAT

The problem with TCP/443 port forwarding and using the "interface" IP address is that your ASDM and SSL VPN also uses that port. Creating the Static PAT using the interface IP address would then probably cause problems. There is option to change both the ASDM and SSL VPN port on the ASA but this naturally causes some inconvinience since it doesnt use the default port anymore.

The usual configuration format for Static PAT would be

object network OWA-HTTPS


nat (inside,outside) static interface service tcp 443 443

Hope this helps

- Jouni

New Member

How to allow access to OWA through ASA 5510

Hi Jouni,

Thanks for the fast reply, I don't have an extra IP address at this stage, I would prefer to use the interface IP address (provided by the ISP) for the time being until we can get another IP. I will def look at changing over to Auto NAT for a better solution to the other discussion.

I assumed that I would have to change the default ASDM and SSL VPN port on the ASA, how can this be achieved in ASDM?

Also what port is best practice to change this to if I do go down that path??

Thanks again for your help


Super Bronze

Re: How to allow access to OWA through ASA 5510


I am not sure how you currently manage your firewall. Do you perhaps do it from the public network also or only from the LAN? If you are doing it remotely then I would suggest that you first confirm that you have SSH connectivity to the ASA incase there is any problems when doing these changes so that you dont cut yourself off from any type of management connection.

The ASDM port used can be set in the command you already have active on the ASA.

http server enable

You probably only have "http server enable" at the moment. You can simply specify the used port after the command to change the port.

You can use the following command to view on what ports the ASA is listening on.

show asp table socket

I have not changed the ASDM port from ASDM itself. I would imagine that you might be able to change it through there but I would also guess that the connection to the ASA will be cut after that and you will have to form the new connection with using the IP address and port in the field when logging on with the ASDM

For example enter to the ASDM log in window

Where the 4443 would be the new port to which you connect instead of the default 443

I am not really sure if there is a good practise for choosing the port. I guess it would be avoiding the most typical ones. On the other hand its about convinience since you now have to mention the port when connection to the device either with ASDM or SSL VPN.

You can find the section to change the ASDM port from Configuration -> Device Management -> Management Access -> ASDM/HTTPS/Telnet/SSH and the view that opens will have the section for the port used.

I think regarding the SSL VPN Client/Clientless the port can be changed from

Configuration -> Remote Access VPN -> Network (Client) Access -> AnyConnect Connection Profiles -> Port Settings -button


Configuration -> Remote Access VPN -> Clientless SSL VPN Access  -> Connection Profiles -> Port Settings -button

Hope this helps

- Jouni

CreatePlease to create content