Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
6
Replies

ASA not allowing OWA traffic

scottwclarke
Level 1
Level 1

‎01-30-2008 06:36 AM - edited ‎02-21-2020 01:53 AM

Hi I have 3 5505 that all have very similar "quirks".

The device has been working normally for the last few months then suddenly decide not to allow owa traffic through, however a second site which we use to collect xml from our clients is working fine. I have resarted and cleared the translates but it hasn't helped any advice would be greatfully recieved.

Preview file
4 KB
0 Helpful
6 Replies 6

srue
Level 7
Level 7

‎01-30-2008 06:45 AM

is OWA accessed via 80 or 443? can OWA be accesses from an internal client?

also, your ACL should be more specific..

for example, why are you allowing smtp to any host internally.?

0 Helpful

scottwclarke
Level 1
Level 1
In response to srue

‎01-30-2008 06:52 AM

OWA is on 80 at the clients request

OWA can be accessed from any machine internally

we are controlling where traffic goes via PAT

I can tighten the rules up though if you think it would help

Thanks for the quick reply.

0 Helpful

srue
Level 7
Level 7
In response to scottwclarke

‎01-30-2008 11:11 AM

and you've made sure the IP address is correct in the following entry:

static (inside,outside) tcp interface www x.x.x.x www

Can you telnet to port 80 from the outside? Check your IIS server where OWA resides, and make sure you don't have restrictions on who can access OWA. By the way, what type type of error are you getting when you try to access it from the outside?

0 Helpful

scottwclarke
Level 1
Level 1
In response to srue

‎01-31-2008 03:07 AM

Yep the IP is correct, the problem seems to come and go, and even when I can't access owa I can access the monitoring site on the same server.

The error is page can not be diplayed.

I have also experienced this problem of only working sometimes with Remote Desktop exactly the same symptoms and roughly the same config.

0 Helpful

srue
Level 7
Level 7
In response to scottwclarke

‎01-31-2008 06:00 AM

what license do you have for you ASA5505?

This does not look like a config issue.

0 Helpful

jojuarez
Level 1
Level 1

‎02-03-2008 10:32 PM

Hi,

You need to run traffic captures to see what's going on. Configuration seems to be ok as you say sometimes works and sometimes not.

It's recommendable to narrow down the captures by matching only the interesting traffic. Let's suppose the public IP of the server (which uses port 80) is 60.1.1.1 whereas the private is 192.168.1.1 and that user testing from the outside has IP 70.1.1.1:

access-l capout permit tcp host 70.1.1.1 host 60.1.1.1 eq 80

access-l capout permit tcp host 60.1.1.1 eq 80 host 70.1.1.1

access-l capin permit tcp host 70.1.1.1 host 192.168.1.1 eq 80

access-l capin permit tcp host 192.168.1.1 eq 80 host 70.1.1.1

capture capin access-l capin int inside packet 1522

capture capout access-l capout int outside packet 1522

Once the above is configured, try to access to the server and then do a "sh cap capin" and "sh cap capout" or you can retrive them in pcap files by accessing to ASDM:

https:///capture/capin/pcap

https:///capture/capout/pcap

You can check the files using ethereal or any other similar software. In this way you'll be able to determine whether the firewall is dropping the traffic or not. Although it's pretty likely it's not a fw issue, you can check the flags of the TCP packets, perhaps some R or F flags are being sent by the server. You can also run some logs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card