Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Upgraded from Borderware to Cisco, Having Minor Issues

Hello,

I have recent upgraded our firewall from a Borderware Steelgate v7.1 platform to a Cisco ASA 5520 platform.  Needless to say, the interface on the Cisco platform is much more complex, and I don't have much experience with Firewalls (so please take it easy on me).

For the most part, I have everything working regarding access rules, I just have two issues, one is minor and one major.

Issue #1 (minor): When the Cisco firewall is in place, I cannot ping google.ca.  I am connected to the Internet and I can access google, I just can't ping it.  Like I said, it is not a serious issue, but I use a continuous ping to google.ca to ensure that the network is up and running since we use a sat. link to connect to our internet source.

Issue #2 (major):  We use GroupWise and our mail client and the web access portion of GroupWise cannot be accessed from outside of our network.  I have setup the access rule the same as it was setup in Borderware, but it is just not working.  Is there another setting that needs to be enabled/disabled aside from the access rule in order for this to work?

Thanks in advance for any assistance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

No worries, glad I can help, hopefully we can get things going for you.

What security levels are assigned to your internal and external interfaces?  0 for external and 100 for internal?

Just to confirm, the Webmail address is the same as the IP address assigned to the external interface of the ASA.  If that's the case, then the NAT and ACL statements will need to revert back.

- a NAT static rule with the original Interface set to  Internal, the source is webmail's server real IP address (internal IP).  The  translated interface is set to external and it is set to use Interface  IP Address.  PAT is enabled, the protocol is set to TCP.  The original  port should be set to 443 and the translated port is set to 82.

-access rule for the external interface with the source set to any, the destination set to the external interface, service set to tcp/82

With the settings above, what do you see in the logs when an attempt is made from the outside to https://:82?

23 REPLIES
Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Hello,

Issue #1 (minor): When the Cisco firewall is in place, I cannot ping  google.ca.  I am connected to the Internet and I can access google, I  just can't ping it.  Like I said, it is not a serious issue, but I use a  continuous ping to google.ca to ensure that the network is up and  running since we use a sat. link to connect to our internet source.

--by default, the ASA does not allow ICMP echo replies to come back through.  Are you only not able to ping google.ca, or can you not ping any address?  Does the issue resolve when you enable ICMP inspection with the command "fixup protocol icmp"?

Issue #2 (major):  We use GroupWise and our mail client and the web  access portion of GroupWise cannot be accessed from outside of our  network.  I have setup the access rule the same as it was setup in  Borderware, but it is just not working.  Is there another setting that  needs to be enabled/disabled aside from the access rule in order for  this to work?

--Are external e-mails not reaching the GroupWise mail server?  Most likely you will need to configure some type of NAT statement for SMTP and HTTP, in addition to access-list.

What software version is the ASA running?  Behind which interface does the GroupWise mail server reside?

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Thanks for the reply Allan,

Issue #1:  I didn't really try to ping any other sites since I kind of figured the platform was preventing pings for security reasons, but I will try once I put the Cisco platform back in place (currently switching Borderware and Cisco firewalls to until I get the issue resolved).  As for the fixup protocol icmp command, do I just issue that from the computer I am using to ping?

Issue #2:  The GroupWise e-mail server is working fine, everyone receives e-mails both external and internal with both Cisco and Borderware firewalls.  It is just no one can access the webmail portion of GroupWise when they are out of the office.  When I put the BorderWare platform back in place, they can access webmail from outside of the office.  I have created the same access rule in the Cisco platform that is in the Borderware platform (I think ... difficult to tell since the interfaces are very different), but it only seems to work with BorderWare.

The ASA is running version 8.2, ASDM running 6.2.  The GroupWise E-mail is running on Windows Server 2003 while the Webmail client is running on Windows Server 2000.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Hello,

You will need to issue the command "fixup protocol icmp" on the command line interface of the ASA.  If you are accessing the ASA through ASDM (GUI interface), then the simplest way to enter the command would be under Tools>Command line interface.  You can then enter the command "fixup protocol icmp" and click Send.  This should get pings to work across the ASA.

When internal users try to access the webmail portion of groupwise, do they use the IP address of the windows 2000 server (Webmail client)?  Please let me know.  My guess is there is NAT and access-list currently configured for SMTP to the GroupWise e-mail server, but no NAT and/or no access-list configured for HTTP to the Webmail client...

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Issue #1:  Thanks for the input, I will definitley give that a

try and let you know how it turns out.

Issue #2:  When users connect to the GroupWise Webmail server from outside, they enter a secure web address followed by a port number to access their webmail.  They do not use the ip address of the server.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Hello,

Issue #2:  When users connect to the GroupWise Webmail server from  outside, they enter a secure web address followed by a port number to  access their webmail.  They do not use the ip address of the server.

--the secure web address is translated to an IP address via DNS.  From the outside, is the IP address the same as the outside interface of the ASA?  You can simply ping the web address, which should then return the IP address to find out.

--when webmail is accessed from the INSIDE, to which server (GroupWise E-mail running on Windows Server 2003 or the Webmail client running on Windows Server 2000) is the traffic going?  You mentioned that a port number is used to access Webmail, is the same port number used on the outside and inside?

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Issue #1:  The command you posted worked.  I can now ping externally again.  Thank you for that.

Issue #2: From outside, if you ping our webmail address, it returns with the external interface IP address of the ASA.  From inside, the ping will time out, but that is really not new.  Webmail never worked from inside since there was no real need for it to work inside the company.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Issue #1:  The command you posted worked.  I can now ping externally again.  Thank you for that.

--no  problem, glad I could help.

Issue #2: From outside, if you ping our webmail address, it returns with  the external interface IP address of the ASA.  From inside, the ping  will time out, but that is really not new.  Webmail never worked from  inside since there was no real need for it to work inside the company.

--you should be able to access webmail within the company by using the IP address of the webmail server.  I am trying to find out which server is acting as the webmail server, is it the Windows 2003 server or the Windows 2000 server?  We also need to know if the same port that is used on the outside to access webmail is the same port that is used on the inside for webmail.

Once we have this information, we can then determine what type of  NAT statements need to be configured on the ASA.

Thanks.

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Yes, you are right, I can access the webmail server internally using the server IP address (forgot to use https:// since it is a secure site), but I do not need the port number when doing so.  Our webmail server is the Windows 2000 server.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Perfect, that's the info I was looking for.  One final question, you mentioned the following:

From the outside, they enter a secure web address followed by a port number to access their webmail.

So from the outside, do they need to specify a port?  For example, from the outside, do they use:

https://

or

https://:

It seems like internally port 443 is still used for https, since u don't need to enter a port number.  If a port number needs to be specified on the outside, then static PAT will need to be configured, which will redirect that specific port number on the outside to 443 on the inside.

Please let me know.

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

We do use port 443 internally and port 82 externally.  So if users wanted to connect externally, they would use;

https://:82

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Thanks for the info.  So static PAT will need to be configured on the ASA.  I assume you have an outside and inside interface on the ASA, correct?  If so, please configure the NAT statement as follows:

static (inside,outside) tcp interface 82 443 netmask 255.255.255.255

You will allso need to allow this traffic on the ACL assigned to the outside interface.  For example, if the ACL applied to the outside interface is OUTSIDE_IN, the ACL will need to be configured as follows:

access-list OUTSIDE_IN permit tcp any interface outside eq 82

The static statement will redirect traffic destined to the outside interface IP on port 82 to the Win2k server on port 443.  The ACL will allow the traffic to pass through the outside interface.

Please give that a try.

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

This is where is gets a little confusing for me.

I am currently using the Cisco ASDM 6.2, which is a GUI system.

I can tell you what I have done so far;

- I've created a IPv4 Network Object using the webmail's IP address and 255.255.255.255 subnet.

- I've created a NAT static rule with the original Interface set to Internal, the source is the Network Object i've create above.  The translated interface is set to external and it is set to use Interface IP Address.  PAT is enabled, the protocol is set to TCP.  The original port is set to 82 and the translated port is set to https.

-I've created an Access rule with the source is set to any, the destination is set to the network object I've created above and the service is set to TCP 82-443.

With these settings, webmail does not work externally.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

- I've created a NAT static rule with the original Interface set to Internal, the source is the Network Object i've create above.  The translated interface is set to external and it is set to use Interface IP Address.  PAT is enabled, the protocol is set to TCP.  The original port is set to 82 and the translated port is set to https.

--Try changing the original port to 443 and the translated port to 82


-I've created an Access rule with the source is set to any, the destination is set to the network object I've created above and the service is set to TCP 82-443.

--Try changing the destination to the external interface, and the service should be tcp/82

Please let me know your findings.

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

No luck, still the same situation.  In the NAT rule, I've switched the original port to 443 (https) and the translated port to 82.  For the access rule, I've changed the service to tcp/82 and the destination to our External Network (which has a 255.255.255.248 netmask).  When that didn't work I switched the destination to our External Router (which has a 255.255.255.255 netmask).  That also did not work.  I could still access the webmail internally using the webmail server IP and https, but not externally using our webmail web address.

One question, when I ping the webmail web address, I get an ip address XXX.XXX.XXX.XX2, but our External router is set to XXX.XXX.XXX.XX1.  On the Borderware platform, the External Router was XXX.XXX.XXX.XX1, but it also has an External IP set to XXX.XXX.XXX.XX2.  Could this be causing our problem?

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

You mentioned this in a previous post:

Issue #2: From outside, if you ping our webmail address, it returns with  the external interface IP address of the ASA.  From inside, the ping  will time out, but that is really not new.  Webmail never worked from  inside since there was no real need for it to work inside the company.

And now you mentioned this:

One question, when I ping the webmail web address, I get an ip address  XXX.XXX.XXX.XX2, but our External router is set to XXX.XXX.XXX.XX1

So the IP address of the Webmail address from the outside is not exactly the same as the external interface on the ASA, correct?  If so, this is definitely causing the issue.  If this is the case, you will need to change to your NAT and ACL statements.

Within the NAT rule in ASDM, instead of select "Use Interface IP Address", you will need to select "Use IP address" and type in XXX.XXX.XXX.XX2.

On the ACL, the destination will need to be changed to XXX.XXX.XXX.XX2 as well.

Therefore, under Tools>Command line interface on ASDM, if you type in "show run static" and send, you should see the following as one of the outputs:

static (internal,external) tcp XXX.XXX.XXX.XX2 82 443 netmask 255.255.255.255

And in the output of "show run access-list", you should see a line similar to:

access-list OUTSIDE_IN permit tcp any host XXX.XXX.XXX.XX2 eq 82

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

I'm sorry, I gave you some wrong information there.  I checked the device setup and the External port IP is set to XXX.XXX.XXX.XX2.  This is verified because when I try to set my NAT rule to use IP address XXX.XXX.XXX.XX2, it replies back with an error stating that that is the External IP.

The part that I am getting hung up on is that in the Network Objects there is an external router created that uses XXX.XXX.XXX.XX1 (Netmask 255.255.255.255) and the overall external network uses XXX.XXX.XXX.XX0 (Netmask 255.255.255.248).  So in the access rule, I am trying to figure out how to get the destination to point to XXX.XXX.XXX.XX2, or even if that is the problem.

Also, I was not the one who originally setup this firewall, which is why I am trying to figure out all of the settings.

By the way, thanks for your patience and help with all of this.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

No worries, glad I can help, hopefully we can get things going for you.

What security levels are assigned to your internal and external interfaces?  0 for external and 100 for internal?

Just to confirm, the Webmail address is the same as the IP address assigned to the external interface of the ASA.  If that's the case, then the NAT and ACL statements will need to revert back.

- a NAT static rule with the original Interface set to  Internal, the source is webmail's server real IP address (internal IP).  The  translated interface is set to external and it is set to use Interface  IP Address.  PAT is enabled, the protocol is set to TCP.  The original  port should be set to 443 and the translated port is set to 82.

-access rule for the external interface with the source set to any, the destination set to the external interface, service set to tcp/82

With the settings above, what do you see in the logs when an attempt is made from the outside to https://:82?

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Sorry I haven't posted recently, but I have been in training this week and out of the office for next week.  But my co-worker will be working on this issue and he can  post the results you were looking for in this thread in order to get this running.  Thanks again.

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Hi Allen,

I am Darren's coworker who is going to work on this issue with you for now.  I have made the changes you suggested, and have enabled logging for that particular rule, as it was disabled for the external access rule.  where will I be able to view the logging info?  Will test now.

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

It would be best to enabled buffered logging at debugging level to troubleshoot:

logging enable

logging buffered 7

Since external users are attempting to accsss webmail on port 82, you can look through the logs with the output:

show log | inc 82

This will display all log messages that contain the keyword "82".

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Hi Allen,

Sorry for the delay, I am going to test this now and try to send the log messages to you.

New Member

Re: Upgraded from Borderware to Cisco, Having Minor Issues

Hi Allen,

With the changes you suggested with the NAT rule webmail/webaccess is working via external connection.  This is great news, I am not sure where to go to view the logs, or to pass that information on to you.  Can you assist?

Cisco Employee

Re: Upgraded from Borderware to Cisco, Having Minor Issues

That is great news, so webmail from external is now working as desired, correct?  If so, I no longer need to see the logs.

To answer your question with regards to logging, if the following commands are entered on the ASA:

logging enable

logging buffered 7

The logs can then be seen in the buffer of the ASA.  The buffer logs can be seen on the console session of the ASA.  If you add the following:

logging asdm 7

You should be able to see the same logs within the ASDM interface.

938
Views
0
Helpful
23
Replies