Accessing OWA from outside ASA

kkeirnan · Nov 15, 2010

I'm trying to access the OWA from outside. I've forwarded port 443 but canyouseeme.org tells me its closed. I can access the OWA fine internally via https://server/owa

I have an ASA5505 firewall doing the port forwards. I moved the ASDM port to 4433 because I read the the ASDM running on 443 also can cause issues when forwarding 443.

Port always comes up closed. Any ideas?

Fint · Nov 15, 2010

In order for a LAN device to be accessible from the Internet, you need two things: a static NAT giving the LAN device a public IP, and then an ACL to allow the traffic.

Can you post the relevant sections of config?

jadams · Nov 15, 2010

.....

danman · Nov 15, 2010

do you have an ssl certificate on the cas server?

cyr0n_k0r · Nov 15, 2010

conf t
access-list <name> permit tcp any host <external ip of server> eq 443
static (inside,outside) <external ip of server> <internal ip of server> netmask 255.255.255.255

Captain Colonoscopy · Nov 16, 2010

You'll also need to make sure the ACL is applied to the outside interface in addition to the NAT translation. Do you have a single static IP address or multiples with a specific IP set aside for your Exchange server? Two possible ways of doing this:

Config for ASA With Single Static IP Address:

name 10.20.30.40 SERVER_INSIDE
access-list Outside_Access_IN permit tcp any interface outside eq smtp
access-list Outside_Access_IN permit tcp any interface outside eq www
access-list Outside_Access_IN permit tcp any interface outside eq https
static (inside,outside) tcp interface smtp SERVER_INSIDE smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https SERVER_INSIDE https netmask 255.255.255.255 0 0
access-group Outside_Access_IN in interface outside

Config for ASA With Multiple Static IP Addresses:

name 10.20.30.40 MAIL_INSIDE
name 1.2.3.4 MAIL_OUTSIDE
access-list Outside_Access_IN permit tcp any host MAIL_OUTSIDE eq smtp
access-list Outside_Access_IN permit tcp any host MAIL_OUTSIDE eq www
access-list Outside_Access_IN permit tcp any host MAIL_OUTSIDE eq https
static (inside,outside) MAIL_OUTSIDE MAIL_INSIDE netmask 255.255.255.255 0 0
access-group Outside_Access_IN in interface outside

MavsX · Nov 16, 2010

boom goes the dynamite.

Captain Colonoscopy · Nov 16, 2010

MavsX said:
boom goes the dynamite.

WUT?

MavsX · Nov 17, 2010

Captain Colonoscopy said:
WUT?

give it a chance and watch the whole thing. lol

http://www.youtube.com/watch?v=W45DRy7M1no&feature=related

Accessing OWA from outside ASA

kkeirnan

n00b

Fint

[H]ard|Gawd

jadams

2[H]4U

danman

[H]ard|Gawd

cyr0n_k0r

Supreme [H]ardness

Captain Colonoscopy

2[H]4U

MavsX

[H]ard|Gawd

Captain Colonoscopy

2[H]4U

MavsX

[H]ard|Gawd