Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 501 and OWA Config

We have a PIX501 in front of our Exchange Server running OWA. The site is a home office with one static IP address on the outside interface.

We can RDP through the firewall to the server, and we can telnet to port 25 on the server.

However, if we try to browse from an Internet-connected PC to OWA on the server, we get "page not found". Apparently we are missing a piece of the config required to make this work. Everything else works fine except for inbound port 80. (OWA works on the local area network (inside interface) so we think the Exchange piece is correct.)

The config follows. Thanks in advance for any help or suggestions!

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list outside_access_in permit tcp any interface outside eq 3389

access-list outside_access_in permit tcp any interface outside eq smtp

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq https

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside XXX.XXX.XXX.XXX

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) tcp interface 3389 3389 netmask 0 0

static (inside,outside) tcp interface www www netmask 0 0

static (inside,outside) tcp interface https https netmask 0 0

static (inside,outside) tcp interface smtp smtp netmask 0 0

access-group outside_access_in in interface outside

route outside XXX.XXX.XXX.XXX 1

route inside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80


Re: PIX 501 and OWA Config

Have you tried disabling the http server on the 501?


Re: PIX 501 and OWA Config

Questions -

1. Can you actually telnet from a remote PC to port 443 using the public facing internet IP address (your pix outside interface IP)?

2. On your OWA server, is it set to listen on port 443 or is it still listening on port 80?

3. Are you using SSL certificates and if yes, has this been setup correctly?

4. When you initiate a connection from a remote PC are using IP address or domain name i.e. https:///exchange OR https:///exchange?

Your configuration on the PIX looks ok to me, I suspect that this is more of an issue on the OWA server setup rather then the PIX.

Let me know.


Community Member

Re: PIX 501 and OWA Config

Currently, SSL is not configured on the server so the answer is NO to your first 3 questions. For question 4, we have tried both but only on port 80.

OWA works fine on the inside LAN using port 80. That is the mystery to me - it works fine except when going through the firewall, but the firewall seems to be configured properly.

I believe that a certificate is being installed today so perhaps we'll be able to test 443 and see if that works.



Re: PIX 501 and OWA Config

You've just answered my question - on your access-list your specifing TCP port 443 as your not using SSL then you need to modify the ACL and static so that it reads:

access-list outside_access_in permit tcp any interface outside eq 80

static (inside,outside) tcp interface 80 80 netmask 0 0

Issue: wr m and clear xlate.

If you are now going to install a SSL cert then keep the config as is and make sure that your OWA server is listening on TCP port 443.

Please rate posts if it helps!!!


Community Member

Re: PIX 501 and OWA Config

Are you saing that I cannot have port 80 and port 443 both opened and static-mapped to the server on

In the config that I posted, I have the access-list list allowing port 80 and port 443. I also have statics translating them to the address.

I have done the clear xlate many times with no change.

Thanks for your thoughts and suggestions! I really appreciate it.


Re: PIX 501 and OWA Config

Well there is your problem. On the firewall you have port 443 (https) open not 80 (http). So any connection attempt for port 443 will not work becuase the server isn't setup for ssl. And any connection to port 80 will not work becuase it is not open on the firewall.



Please rate if this helps!

Community Member

Re: PIX 501 and OWA Config

Thanks for your comments.

In my original post, the configuration includes both access-list and static commands that allow ports 80 and 443 to enter through the outside interface, and then get translated to the server at

Are you saying that those configuration lines are incorrect? Are they mutually exclusive?

To my understanding both ports are open on the firewall. If you don't mind, what am I not understanding?



Re: PIX 501 and OWA Config

I applogize. I mis-read the config file. The ACL and statics look fine.

I see you only have 1 external IP. Are there any other servers on the inside running web sites? Do a sh conn to see if any other devices have a connection on those ports.

Try looking at debugs to see if there are any errors.



Community Member

Re: PIX 501 and OWA Config


I have a site running OMA and OWA through a PIX 501. I have compared your config to that one and they match.

I would take out the fixup protocol http from your config and see if that improves the situation.

If you still cannot connect externally this points to the Exchange setup. The authentication settings for the site can be a problem, internally it may well authenticate you on cached credentials but when comming in externally this will not happen.

When you have your SSL cert, change to port 443 and set the authentication on the Exchange server to Integrated Windows Auth and Basic Auth. That should work then.


Community Member

Re: PIX 501 and OWA Config

Once the server administrator got the certificate installed, it all started working.

I'm not sure why it wouldn't work over port 80, but I suspect the OS or Exchange had issues with it.

FYI, removing the fixup protocol http 80 did not change anything. I tried it both ways on your suggestion.

Thanks to everyone for your thoughts and comments!

CreatePlease to create content