static (inside1,outside) tcp interface  www 10.10.3.32 www netmask 255.255.255.255
static (inside1,outside) tcp interface  https 10.10.3.32 https netmask 255.255.255.255

did it but still not able to access website through ASA

Mmm, weird. Can you run a quick packet-tracer?

packet-tracer input outside tcp 4.2.2.2 1025 180.92.xxx.xxx 80

Paste the output here and we will rule out any possible config issue.

Mike

tabba-asa(config)# packet-tracer input outside tcp 4.2.2.2 1025 180.92.156.138$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.25
5
  match tcp inside1 host 10.10.3.32 eq 80 outside any
    static translation to 180.92.xxx.xxx/80
    translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside1
Untranslate 180.92.xxx.xxx/80 to 10.10.3.32/80 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 201 in interface outside
access-list 201 extended permit tcp any host 180.92.xxx.xxx eq www
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.25
5
  match tcp inside1 host 10.10.3.32 eq 80 outside any
    static translation to 180.92.xxx.xxx/80
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside1,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.25
5
  match tcp inside1 host 10.10.3.32 eq 80 outside any
    static translation to 180.92.xxx.xxx/80
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44989, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.3.32 using egress ifc inside1
adjacency Active
next-hop mac address 001c.c067.f419 hits 0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside1
output-status: up
output-line-status: up
Action: allow

tabba-asa(config)# sh access-list

access-list 201 line 1 extended permit tcp any host 180.92.xxx.xxx eq www (hitcnt=6) 0x1b41318d

access-list 201 line 2 extended permit tcp any host 180.92.xxx.xxx eq https (hitcnt=0) 0x0a72fc63

tabba-asa(config)# sh conn

TCP outside 111.119.160.166:34523 inside1 10.10.3.32:80, idle 0:00:01, bytes 0,

flags SaAB TCP outside 111.119.160.166:34523 inside1 10.10.3.32:80, idle 0:00:01, bytes 0,
flags SaAB

Everything points out that iw working properly. Please take captures as detailed below:

https://supportforums.cisco.com/docs/DOC-1222

Mike

ok let me get these for you

https://ip_of_firewall/capture/out-cap/pcap

Mike can you please guide me from where i have to access this page

https://ip_of_firewall/capture/in-cap/pcap
https://ip_of_firewall/capture/out-cap/pcap

Ran the following commands and output files are attached

tabba-asa(config)# access-list cap-list permit tcp host 10.10.3.32 host 180.92.xxx.xxx eq 80

tabba-asa(config)# access-list cap-list permit tcp host 180.92.xxx.xxx eq 80 host 10.10.3.32

tabba-asa(config)# capture in-cap interface inside1 access-list cap-list buffer 1000000 packet 1522

tabba-asa(config)# capture out-cap interface outside access-list cap-list buffer 1000000 packet 1522

tabba-asa(config)# capture in-cap interface inside1 match tcp host 10.10.3.32 host 180.92.xxx.xxx eq 80

ERROR: A match and an access-list can not be configured on the same caputre.

tabba-asa(config)# no cap

tabba-asa(config)# no capture in

tabba-asa(config)# no capture in-cap

tabba-asa(config)# no capture out-cap

tabba-asa(config)#

Captures appear to be broken and I cannot open them.... Warning, once you post the captures, we will be able to see the IP addresses.

Try something on your side, put a wireshark on the Server start it and put a filter using the IP address from where you are trying to connect, like this

ip.addr eq x.x.x.x

Where x.x.x.x is the IP from where you are trying to connect.

Mike

i stopped the capture service after saving the capture files... do i need to give some more time to capture the data or i can stop the capture service as soon as i get the captures.

ok i will filter out the IP on wireshark

The procedure is that you set the captures, then you open the web browser (from an outside machine) try to access, wait for it to timeout and then download the captures.

The best approach now, in order to avoid information disclosure is for you to put wireshark on the server, put the filter, send some packets and check if they reach the server.

Mike

means after saving the captures i need to open the file on wireshark and then open the captures and filter out the IP

sorry to bother you as i am newbiew with Packet Analyzer

Dont worry, we all were at some point.

That is something that I want to avoid. Go to the server that is hosting OWA, then start wireshark there (Capture, select interfaces and then select the nic card that has 10.10.3.32) once the capture starts, on the filter put the following value

ip.addr eq x.x.x.x

Select apply

x.x.x.x is the IP from where you are coming from. Once you start sending packets you should see the packets getting to the server.

That would give you more info.

Let me know.

Mike