cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3696
Views
0
Helpful
23
Replies

Upgraded from Borderware to Cisco, Having Minor Issues

darrenpenney
Level 1
Level 1

Hello,

I have recent upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform.  Needless to say, the interface on the Cisco platform is much more complex, and I don't have much experience with Firewalls (so please take it easy on me).

For the most part, I have everything working regarding access rules, I just have two issues, one is minor and one major.

Issue #1 (minor): When the Cisco firewall is in place, I cannot ping google.ca.  I am connected to the Internet and I can access google, I just can't ping it.  Like I said, it is not a serious issue, but I use a continuous ping to google.ca to ensure that the network is up and running since we use a sat. link to connect to our internet source.

Issue #2 (major):  We use GroupWise and our mail client and the web access portion of GroupWise cannot be accessed from outside of our network.  I have setup the access rule the same as it was setup in Borderware, but it is just not working.  Is there another setting that needs to be enabled/disabled aside from the access rule in order for this to work?

Thanks in advance for any assistance.

1 Accepted Solution

Accepted Solutions

No worries, glad I can help, hopefully we can get things going for you.

What security levels are assigned to your internal and external interfaces?  0 for external and 100 for internal?

Just to confirm, the Webmail address is the same as the IP address assigned to the external interface of the ASA.  If that's the case, then the NAT and ACL statements will need to revert back.

- a NAT static rule with the original Interface set to  Internal, the source is webmail's server real IP address (internal IP).  The  translated interface is set to external and it is set to use Interface  IP Address.  PAT is enabled, the protocol is set to TCP.  The original  port should be set to 443 and the translated port is set to 82.

-access rule for the external interface with the source set to any, the destination set to the external interface, service set to tcp/82

With the settings above, what do you see in the logs when an attempt is made from the outside to https://:82?

View solution in original post

23 Replies 23

Allen P Chen
Level 5
Level 5

Hello,

Issue #1 (minor): When the Cisco firewall is in place, I cannot ping  google.ca.  I am connected to the Internet and I can access google, I  just can't ping it.  Like I said, it is not a serious issue, but I use a  continuous ping to google.ca to ensure that the network is up and  running since we use a sat. link to connect to our internet source.

--by default, the ASA does not allow ICMP echo replies to come back through.  Are you only not able to ping google.ca, or can you not ping any address?  Does the issue resolve when you enable ICMP inspection with the command "fixup protocol icmp"?

Issue #2 (major):  We use GroupWise and our mail client and the web  access portion of GroupWise cannot be accessed from outside of our  network.  I have setup the access rule the same as it was setup in  Borderware, but it is just not working.  Is there another setting that  needs to be enabled/disabled aside from the access rule in order for  this to work?

--Are external e-mails not reaching the GroupWise mail server?  Most likely you will need to configure some type of NAT statement for SMTP and HTTP, in addition to access-list.

What software version is the ASA running?  Behind which interface does the GroupWise mail server reside?

Thanks for the reply Allan,

Issue #1:  I didn't really try to ping any other sites since I kind of figured the platform was preventing pings for security reasons, but I will try once I put the Cisco platform back in place (currently switching Borderware and Cisco firewalls to until I get the issue resolved).  As for the fixup protocol icmp command, do I just issue that from the computer I am using to ping?

Issue #2:  The GroupWise e-mail server is working fine, everyone receives e-mails both external and internal with both Cisco and Borderware firewalls.  It is just no one can access the webmail portion of GroupWise when they are out of the office.  When I put the BorderWare platform back in place, they can access webmail from outside of the office.  I have created the same access rule in the Cisco platform that is in the Borderware platform (I think ... difficult to tell since the interfaces are very different), but it only seems to work with BorderWare.

The ASA is running version 8.2, ASDM running 6.2.  The GroupWise E-mail is running on Windows Server 2003 while the Webmail client is running on Windows Server 2000.

Hello,

You will need to issue the command "fixup protocol icmp" on the command line interface of the ASA.  If you are accessing the ASA through ASDM (GUI interface), then the simplest way to enter the command would be under Tools>Command line interface.  You can then enter the command "fixup protocol icmp" and click Send.  This should get pings to work across the ASA.

When internal users try to access the webmail portion of groupwise, do they use the IP address of the windows 2000 server (Webmail client)?  Please let me know.  My guess is there is NAT and access-list currently configured for SMTP to the GroupWise e-mail server, but no NAT and/or no access-list configured for HTTP to the Webmail client...

Issue #1:  Thanks for the input, I will definitley give that a

try and let you know how it turns out.

Issue #2:  When users connect to the GroupWise Webmail server from outside, they enter a secure web address followed by a port number to access their webmail.  They do not use the ip address of the server.

Hello,

Issue #2:  When users connect to the GroupWise Webmail server from  outside, they enter a secure web address followed by a port number to  access their webmail.  They do not use the ip address of the server.

--the secure web address is translated to an IP address via DNS.  From the outside, is the IP address the same as the outside interface of the ASA?  You can simply ping the web address, which should then return the IP address to find out.

--when webmail is accessed from the INSIDE, to which server (GroupWise E-mail running on Windows Server 2003 or the Webmail client running on Windows Server 2000) is the traffic going?  You mentioned that a port number is used to access Webmail, is the same port number used on the outside and inside?

Issue #1:  The command you posted worked.  I can now ping externally again.  Thank you for that.

Issue #2: From outside, if you ping our webmail address, it returns with the external interface IP address of the ASA.  From inside, the ping will time out, but that is really not new.  Webmail never worked from inside since there was no real need for it to work inside the company.

Issue #1:  The command you posted worked.  I can now ping externally again.  Thank you for that.

--no  problem, glad I could help.

Issue #2: From outside, if you ping our webmail address, it returns with  the external interface IP address of the ASA.  From inside, the ping  will time out, but that is really not new.  Webmail never worked from  inside since there was no real need for it to work inside the company.

--you should be able to access webmail within the company by using the IP address of the webmail server.  I am trying to find out which server is acting as the webmail server, is it the Windows 2003 server or the Windows 2000 server?  We also need to know if the same port that is used on the outside to access webmail is the same port that is used on the inside for webmail.

Once we have this information, we can then determine what type of  NAT statements need to be configured on the ASA.

Thanks.

Yes, you are right, I can access the webmail server internally using the server IP address (forgot to use https:// since it is a secure site), but I do not need the port number when doing so.  Our webmail server is the Windows 2000 server.

Perfect, that's the info I was looking for.  One final question, you mentioned the following:

From the outside, they enter a secure web address followed by a port number to access their webmail.

So from the outside, do they need to specify a port?  For example, from the outside, do they use:

https://

or

https://:

It seems like internally port 443 is still used for https, since u don't need to enter a port number.  If a port number needs to be specified on the outside, then static PAT will need to be configured, which will redirect that specific port number on the outside to 443 on the inside.

Please let me know.

We do use port 443 internally and port 82 externally.  So if users wanted to connect externally, they would use;

https://:82

Thanks for the info.  So static PAT will need to be configured on the ASA.  I assume you have an outside and inside interface on the ASA, correct?  If so, please configure the NAT statement as follows:

static (inside,outside) tcp interface 82 443 netmask 255.255.255.255

You will allso need to allow this traffic on the ACL assigned to the outside interface.  For example, if the ACL applied to the outside interface is OUTSIDE_IN, the ACL will need to be configured as follows:

access-list OUTSIDE_IN permit tcp any interface outside eq 82

The static statement will redirect traffic destined to the outside interface IP on port 82 to the Win2k server on port 443.  The ACL will allow the traffic to pass through the outside interface.

Please give that a try.

This is where is gets a little confusing for me.

I am currently using the Cisco ASDM 6.2, which is a GUI system.

I can tell you what I have done so far;

- I've created a IPv4 Network Object using the webmail's IP address and 255.255.255.255 subnet.

- I've created a NAT static rule with the original Interface set to Internal, the source is the Network Object i've create above.  The translated interface is set to external and it is set to use Interface IP Address.  PAT is enabled, the protocol is set to TCP.  The original port is set to 82 and the translated port is set to https.

-I've created an Access rule with the source is set to any, the destination is set to the network object I've created above and the service is set to TCP 82-443.

With these settings, webmail does not work externally.

- I've created a NAT static rule with the original Interface set to Internal, the source is the Network Object i've create above.  The translated interface is set to external and it is set to use Interface IP Address.  PAT is enabled, the protocol is set to TCP.  The original port is set to 82 and the translated port is set to https.

--Try changing the original port to 443 and the translated port to 82


-I've created an Access rule with the source is set to any, the destination is set to the network object I've created above and the service is set to TCP 82-443.

--Try changing the destination to the external interface, and the service should be tcp/82

Please let me know your findings.

No luck, still the same situation.  In the NAT rule, I've switched the original port to 443 (https) and the translated port to 82.  For the access rule, I've changed the service to tcp/82 and the destination to our External Network (which has a 255.255.255.248 netmask).  When that didn't work I switched the destination to our External Router (which has a 255.255.255.255 netmask).  That also did not work.  I could still access the webmail internally using the webmail server IP and https, but not externally using our webmail web address.

One question, when I ping the webmail web address, I get an ip address XXX.XXX.XXX.XX2, but our External router is set to XXX.XXX.XXX.XX1.  On the Borderware platform, the External Router was XXX.XXX.XXX.XX1, but it also has an External IP set to XXX.XXX.XXX.XX2.  Could this be causing our problem?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: