OWA 2000 and PIX 515E

[TheStressFactor]

Does anyone know the proper config for allowing users on the outside to access OWA. How it works now is that I have my mail server sitting behind the pix. I have a static that allows mail destined to the ip of the mex record to forward to internal mail server. I have listed my pix config below...any help would be greatly appreciated.

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname mypix
domain-name mycompany.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.
0
access-list outside permit tcp any host x.x.x.67 eq smtp
access-list outside permit icmp any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.67 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.3.2 255.255.255.255 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location x.x.x.65 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.67 smtp 192.168.3.2 smtp netmask 255.255.
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set transform esp-3des esp-sha-hmac
crypto ipsec transform-set home esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set home
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set transform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map home 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key *********** address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup address-pool ippool
vpngroup dns-server 192.168.3.7
vpngroup wins-server 192.168.3.7
vpngroup default-domain mycomapny.com
vpngroup split-tunnel split
vpngroup idle-time 2000
vpngroup password *************

 

[DaneM]

Do you want to run OWA on the mail server or a separate system? Might as well keep it on one server to save hardware, you won't improve the security of the inside network since you don't have a DMZ. With only two interfaces, just add https (TCP/443) to your access-list for the outside: access-list outside permit any host x.x.x.67 eq https.

Also, add a new A record for forward DNS resolution (such as webmail or wm) so users don't connect to

https://mail.mycompany.com.