Owa5.5 behind a pix515 how can do it?

[amarchi]

I HAVE A PIX 515 with inside,dmz and outside.
My requirements are:
install OWA 5.5 (sp4) on DMZ and the mail server exchange 5.5 will be in the lan.
i have try first with the following configuration but no work.

PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
names
name 10.10.1.5 mail
name 11.11.11.11 dns_server
name 11.11.11.12 webmail
access-list outside_access_in permit tcp any host 13.13.13.13 eq smtp
access-list outside_access_in permit tcp any host 13.13.13.13 eq pop3
access-list outside_access_in permit udp any host 13.13.13.14 eq domain
access-list outside_access_in permit tcp any host 13.13.13.15 eq www
access-list outside_access_in deny ip any any
access-list 101 permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
access-list dmz_access_in permit tcp any host mail eq 135
access-list dmz_access_in permit tcp any host mail eq 5001
access-list dmz_access_in permit tcp any host mail eq 5002
ip address outside 13.13.13.13 255.255.255.224
ip address inside 10.10.1.1 255.255.0.0
ip address dmz 11.11.11.1 255.255.255.0
global (outside) 1 interface
global (dmz) 2 interface
global (dmz) 1 11.11.11.6
nat (inside) 0 access-list 101
nat (inside) 1 10.10.1.6 255.255.255.255 0 0
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
alias (inside) 13.13.13.14 dns_server 255.255.255.255
static (inside,outside) 13.13.13.13 mail netmask 255.255.255.255 0 50
static (dmz,outside) 13.13.13.14 dns_server netmask 255.255.255.255 0 50
static (dmz,outside) 13.13.13.15 webmail netmask 255.255.255.255 0 50
static (inside,dmz) webmail mail netmask 255.255.255.255 0 50
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
********
ALso i have try by adding the following access-list (see q259240 from microsoft)
access-list dmz_access_in permit udp host webmail host mail eq netbios-ns
access-list dmz_access_in permit udp host webmail host mail eq netbios-dgm
access-list dmz_access_in permit tcp host webmail host mail eq netbios-ssn
BUT still no work.
If anybody can show me where i'm wronging, i will appreciate.
THanks in advance to everybody

MAX

 

[bwilliam13]

Set up an access-list to allow your inside exchange server to talk to the OWA web server...and vice versa. According to your rules above, you are not specifying that anywhere. Since your DMZ is a lower security level than your inside, you have to have explicit rules to allow OWA loaded on a different machine to connect to the Exchange server.

 

[amarchi]

thanks for your answer bwilliam13,
those are in relation with the installation of owa in dmz (mail server in lan) :
access-list dmz_access_in permit tcp any host mail eq 135
access-list dmz_access_in permit tcp any host mail eq 5001
access-list dmz_access_in permit tcp any host mail eq 5002
access-list dmz_access_in permit udp host webmail host mail eq netbios-ns
access-list dmz_access_in permit udp host webmail host mail eq netbios-dgm
access-list dmz_access_in permit tcp host webmail host mail eq netbios-ssn .

what do you mean "Since your DMZ is a lower security level than your inside, you have to have explicit rules to allow OWA loaded on a different machine to connect to the Exchange server"
The owa server it's setup correctly (i hope)
the is and ds port are statically (5001,5002)
i have try to open all nbt session port.....for domain auth.
what do I have forgotten?
my static entries are ok on pix515?
the problems it's the access-list?
when you say "viceversa",what do you mean?
i must setup an access-list on the inside interface?
Sorry my friend, but i'm not so expert about pix and
if you can help me I will be you very thankful.
Max