cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1864
Views
0
Helpful
28
Replies

Publishing Exchange 2003 OWA on Internet

srsiddiqui2007
Level 1
Level 1

Hey,

I am publishing my exchange server 2003 on the internet. my network design is like this

Internet -> Cisco ASA (Public IP) -> Exchange 2003 (Front-End Server) -> ISA 2000  -> Exchange 2003 (Back-End Server)

both the exchange server is working fine locallly but when i try to access my IIS on Exchange 2003 (Front-End Server) it gives me THE PAGE CANNOT BE DISPLAYED.

i have configured these commands on ASA

interface Ethernet0/0

nameif outside

security-level 0

ip address 180.92.xxx.xxx 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/2

nameif inside1

security-level 95

ip address 10.10.3.50 255.255.0.0

access-list 201 extended permit tcp any host 180.92.xxx.xxx eq www
access-list 201 extended permit tcp any host 180.92.xxx.xxx eq 443

access-group 201 in interface outside

global (outside) 1 interface

nat (inside) 1 10.10.0.0 255.255.0.0

static (inside,outside) tcp interface  www 10.10.3.32 www netmask 255.255.255.255
static (inside,outside) tcp interface  https 10.10.3.32 https netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 180.92.xxx.xxx

i have tried to access HTML page and exchange OWA as well but its not working

http://180.92.xxx.xxx http://180.92.xxx.xxx/exchange

both are not accessible

can anyone tell me what is wrong in my config and why am i unable to access the simple IIS startup page

28 Replies 28

Thanks Mike for the help. I got the required PCAP files and i am attaching here for you.

you can check it out

my two different IP's are 111.119.xxx.xxx and 203.81.xxx.xxx

Thanks for the captures.

I can see the packet gets alright to the server, so firewall configuration is ok. Now, I see that the response from the server towards the client on the outside, it is being sent to another device, not towards the ASA as it should.

If you let me I can detail to which mac-address are the packets being sent to and the brand of the device.

Let me know.

Mike

Mike

ok i am waiting for your reply....

Alright,

Mac-address 0022.64bc.55e4 Its an HP device. If you have a Cisco switch there, you can go ahead and do a show mac-address table address 0022.64bc.55e4 and see to which switchport that is connected to.

Another thing (In case of a Windows box) you can do arp -a on the command reference and check which is the IP address of that device.

Its 2 AM where I am located so let me know if this is useful, I would sleep tied if you tell me that found out what that device is.

Mike

Mike

yes i CISCO Switches... i got the port but i am confused on which switch ??

Switch-4FA-3#sh mac-address-table address 0022.64bc.55e4
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0022.64bc.55e4    DYNAMIC     Gi0/26
Total Mac Addresses for this criterion: 1

What is connected on port gi0/26 ?

Mike

Mike

i ran this command on my core switch which is connected with all my 2950 through fiber channel

gi0/26 is stacking port (where i ran the command)

So it means that this port leads to another switch am I right? If it does, do the same show mac-address table address

0022.64bc.55e4 and check where that port is coming form, and if it leads to another switch keep tracking it up until you find where this mac-address is really located.

Note (In some switches you will need to do show mac address-table address)

Let me know if you find the host.

Mike

Mike

Were you able to find anything?

Mike

Mike

atlast i got some success in tracing the mac address

its my Domain Controller / DNS Server

Mmmm,

So the mac-address 0022.64bc.55e4 belongs to the domain controller.  Is that server also running any kind of proxy function? Or do you see any reason why the OWA server would send the reply to him instead of sending it to the ASA firewall?

Mike

Mike

i have added the Default gateway on Destination IP 10.10.3.x

just removed it and again running the packet tracer

The default gateway should be the ASA, otherwise it will cause asymmetric routing which is not supported. Get the captures and I will look at them

Mike

Mike

thanks MIKE for all your help and support. I changed my Default gateway to ASA Inside and it worked.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: