11-02-2011 12:41 AM - edited 03-11-2019 02:45 PM
Hey,
I am publishing my exchange server 2003 on the internet. my network design is like this
Internet -> Cisco ASA (Public IP) -> Exchange 2003 (Front-End Server) -> ISA 2000 -> Exchange 2003 (Back-End Server)
both the exchange server is working fine locallly but when i try to access my IIS on Exchange 2003 (Front-End Server) it gives me THE PAGE CANNOT BE DISPLAYED.
i have configured these commands on ASA
interface Ethernet0/0
nameif outside
security-level 0
ip address 180.92.xxx.xxx 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
nameif inside1
security-level 95
ip address 10.10.3.50 255.255.0.0
access-list 201 extended permit tcp any host 180.92.xxx.xxx eq www
access-list 201 extended permit tcp any host 180.92.xxx.xxx eq 443
access-group 201 in interface outside
global (outside) 1 interface
nat (inside) 1 10.10.0.0 255.255.0.0
static (inside,outside) tcp interface www 10.10.3.32 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.3.32 https netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 180.92.xxx.xxx
i have tried to access HTML page and exchange OWA as well but its not working
http://180.92.xxx.xxx http://180.92.xxx.xxx/exchange
both are not accessible
can anyone tell me what is wrong in my config and why am i unable to access the simple IIS startup page
Solved! Go to Solution.
11-03-2011 12:05 AM
Thanks Mike for the help. I got the required PCAP files and i am attaching here for you.
you can check it out
my two different IP's are 111.119.xxx.xxx and 203.81.xxx.xxx
11-03-2011 12:17 AM
Thanks for the captures.
I can see the packet gets alright to the server, so firewall configuration is ok. Now, I see that the response from the server towards the client on the outside, it is being sent to another device, not towards the ASA as it should.
If you let me I can detail to which mac-address are the packets being sent to and the brand of the device.
Let me know.
Mike
11-03-2011 12:20 AM
ok i am waiting for your reply....
11-03-2011 12:28 AM
Alright,
Mac-address 0022.64bc.55e4 Its an HP device. If you have a Cisco switch there, you can go ahead and do a show mac-address table address 0022.64bc.55e4 and see to which switchport that is connected to.
Another thing (In case of a Windows box) you can do arp -a on the command reference and check which is the IP address of that device.
Its 2 AM where I am located so let me know if this is useful, I would sleep tied if you tell me that found out what that device is.
Mike
11-03-2011 12:34 AM
yes i CISCO Switches... i got the port but i am confused on which switch ??
Switch-4FA-3#sh mac-address-table address 0022.64bc.55e4
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0022.64bc.55e4 DYNAMIC Gi0/26
Total Mac Addresses for this criterion: 1
11-03-2011 12:40 AM
What is connected on port gi0/26 ?
Mike
11-03-2011 12:46 AM
i ran this command on my core switch which is connected with all my 2950 through fiber channel
gi0/26 is stacking port (where i ran the command)
11-03-2011 12:51 AM
So it means that this port leads to another switch am I right? If it does, do the same show mac-address table address
0022.64bc.55e4 and check where that port is coming form, and if it leads to another switch keep tracking it up until you find where this mac-address is really located.
Note (In some switches you will need to do show mac address-table address)
Let me know if you find the host.
Mike
11-03-2011 01:12 AM
Were you able to find anything?
Mike
11-03-2011 01:25 AM
atlast i got some success in tracing the mac address
its my Domain Controller / DNS Server
11-03-2011 01:29 AM
Mmmm,
So the mac-address 0022.64bc.55e4 belongs to the domain controller. Is that server also running any kind of proxy function? Or do you see any reason why the OWA server would send the reply to him instead of sending it to the ASA firewall?
Mike
11-03-2011 01:39 AM
i have added the Default gateway on Destination IP 10.10.3.x
just removed it and again running the packet tracer
11-03-2011 01:44 AM
The default gateway should be the ASA, otherwise it will cause asymmetric routing which is not supported. Get the captures and I will look at them
Mike
11-03-2011 03:33 AM
thanks MIKE for all your help and support. I changed my Default gateway to ASA Inside and it worked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: