Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA with Cisco PIX 515..Help

Status
Not open for further replies.
cant

cant

IS-IT--Management
Oct 25, 2000
42
CA
We just installed Exchange 2000 this weekend with the OWA (Outlook Web Access) option. OWA works fine from inside our network. On the outside of our Cisco PIX 515 Firewall we cannot connect to the OWA, Port 80 is open. users can send and receive e-mails from out side. any ideas, please help.
thanks
 
Sort by date Sort by votes
Are you using one outside/ one inside; or are you using a DMZ? Are you using NAT, PAT, Static, or conduit for your http? I am not sure what port the OWA authentication uses but I would go the easy way and launch PDM Log in debugging mode on pix and hit it from the outside and see what is denied. If nothing comes up check the logical structure of your network. If you use fully qualified IP's on a dual subnet server then you might check what IP's your services are listening on.
 
Upvote 0 Downvote
we are a nat command to resovel a buplic IP address to an internal one.
if i ping the public one from outside the network, it will time out.
but we are still getting our e-mails.
we have DMZ, but still not activated, nothing is attached to it yet.
this the only thing i can tell you.
 
Upvote 0 Downvote
I am not sure if this will help you, but we had similar problem (although we do not use a PIX) due to NAT so what we did was assign two ports to the default web site (ie: 8888) and from outside, we connect as and it worked. I have not gotten the chance to find out why yet.

Gladys I. Rodriguez
GlobalStrata Solutions Inc.
 
Upvote 0 Downvote
I forgot to tell you that I think OWA uses other ports besides 80. At least Exchange 5.5 use 389 to but again, I have not gotten time to test yet.

Hope this helps.
 
Upvote 0 Downvote
you only need port 80 open into the server.

Have you tried a statis inside,outside mapping?
 
Upvote 0 Downvote
thanks for the tip, but my question is, how can i determine if i have a statis inside,outside mapping.
am not a cisco expert, but i can go and check the configurations.
what statment i should find.
thanks for the help.
 
Upvote 0 Downvote
this is what i have, and i do not know if its the right settings.

static (inside,outside) tcp 217.94.14.221 255.255.255
.255 0 0
static (inside,outside) tcp 217.94.14.221 44965 10.0.0.100 44965 netmask 255.255
.255.255 0 0
static (inside,outside) tcp 217.94.14.222 smtp 10.0.0.103 smtp netmask 255.255.2
55.255 100 0
static (inside,outside) tcp 217.94.14.222 pop3 10.0.0.103 pop3 netmask 255.255.2
55.255 100 0
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0 0 0

thanks,
 
Upvote 0 Downvote
The following are the exact statements you need if your mail server lives on the private segment:

static (inside,outside) <public IP & MX record> <private IP of mail server> netmask 255.255.255.255 0 0

conduit permit tcp host <public IP> eq smtp any

conduit permit tcp host <public IP> eq 443 any

Couple things...the third statement is refers to port 443. Change it to port 80 if you wish but I highly recommend using SSL. You can install certificate server on your mail server and know that it will work. If you choose to not encrypt authentication and messages and simply want to use port 80, replace the third statement with the following:

conduit permit tcp host <public IP> eq
You can also get into using access-list statements instead of conduits. In your example I do not see any conduits or access-lists so I am not sure if you just failed to include them or are missing them all together. Hope this helps. I know it will work.
 
Upvote 0 Downvote
hey, welcome newbie Beastie - nicely put.

Only thought is that the static mapping lists 0 0 at the end - wouldn't you be better off using like 1000 500 to limit embryonic and simultaneous connections to minimise problems?
 
Upvote 0 Downvote
Great point Zelandakh. As quoted from Cisco:

&quot;To avoid letting applications overwhelm your maximum number of connections, it is very important to always use the connection limit and embryonic limit options with the mailhost, nat, and static commands.&quot;

Cheers,

Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
3K
microsGuy16
microsGuy16
Satishkumar007
  • Locked
  • Question
Help needed to recover after complete site failure
Replies
0
Views
3K
Satishkumar007
Satishkumar007
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
2K
ponoodle
ponoodle
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
2K
Wesaf
Wesaf
BroBias
  • Locked
  • Question
mailbox databases dismounting frequently without followable reason
Replies
1
Views
2K
BroBias
BroBias

Part and Inventory Search

Sponsor

Back
Top