Outlook Web Access (OWA) and PIx

Hi everybody,

I am managing university network. Out network has PIX as a security firewall, with two DMZs. In one DMZ we have SMTP Filter Server, running on Global IP. We have one Exchange server too placed inside of PIX, running on private IP.

Exchange server is configured in this way that if it receive any mail from inside user it will send it to SMTP Filter and later SMTP Filter forwards it to PIX. Same way when a user receive a mail from outside it first comes to the PIX where after translation it forwards to the SMTP Filter. SMTP Filter later forwards it to the Exchange where it drops in to the respected User account.

Now here is my problem, I have configured Outlook Web Access on my Exchange server that is running fine from inside. But we are not able to access our Exchagne server through OWA from outside. One thing that i know Exchange server does not have any Global IP, therefore it is not accessable from outside. But i want to know that can i use SMTP Filter IP and distingush the traffic on PIX, it is really not clear to me, but just a guess.

Below is my PIX configuration;

----------------------------------------

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz1 security95 nameif ethernet3 dmz2 security85 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password xxxxxxxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxxx encrypted hostname xxxxxxxxxxxxxxxx fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 access-list dmz_int permit tcp host (SMTP Filter Private IP) any eq smtp access-list dmz_int permit tcp host (SMTP Filter Private IP) any eq www

access-list dmz_int permit tcp host (SMTP Filter Private IP) any eq https access-list dmz_int permit udp host (SMTP Filter Private IP) any eq domain

access-list tout_int permit tcp any host xxx.xxx.xxx.xxx eq www access-list tout_int permit tcp any host xxx.xxx.xxx.xxx eq 210 access-list tout_int permit tcp host (SMTP Filter Global IP) any eq smtp access-list tout_int permit tcp any host (SMTP Filter Global IP) eq smtp access-list tout_int permit tcp any host (SMTP Filter Global IP) eq https access-list tout_int permit tcp host (SMTP Filter Global IP) any eq https access-list tout_int permit tcp any host (SMTP Filter Global IP) eq www

access-list tout_int permit tcp host (SMTP Filter Global IP) any eq www

access-list dmz2_int permit ip host xxx.xxx.xxx.xxx any pager lines 24 logging console debugging icmp permit any echo outside mtu outside 1500 mtu inside 1500 mtu dmz1 1500 mtu dmz2 1500 mtu intf4 1500 mtu intf5 1500 ip address outside (Global IP) 255.255.255.xxx ip address inside 172.16.60.1 255.255.255.0 ip address dmz1 xxx.xxx.xxx.xxx 255.255.255.0 ip address dmz2 xxx.xxx.xxx.xxx 255.255.255.0 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz1 no failover ip address dmz2 no failover ip address intf4 no failover ip address intf5 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 172.16.xxx.4 255.255.255.255 0 0

static (dmz1,outside) (SMTP Filter Global IP) (SMTP Filter Private IP) netmask 255.255.255.255 0 0 static (inside,dmz1) 172.16.xxx.3 172.16.xxx.3 netmask 255.255.255.255

0 0 static (dmz2,outside) xxx.xxx.xxx.xxx 192.168.2.2 netmask 255.255.255.255 0 0 static (inside,outside) (Global IP) (ISA IP) netmask 255.255.255.255 0 0 static (inside,dmz1) 172.16.xxx.0 172.16.xxx.0 netmask 255.255.255.0 0 0 static (inside,dmz2) 172.16.xxx.0 172.16.xxx.0 netmask 255.255.255.0 0 0

access-group tout_int in interface outside access-group dmz_int in interface dmz1 access-group dmz2_int in interface dmz2 route outside 0.0.0.0 0.0.0.0 202.83.175.105 1 route inside 172.16.0.0 255.255.0.0 172.16.60.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet 172.16.xxx.26 255.255.255.255 inside telnet 172.16.xxx.175 255.255.255.255 inside telnet timeout 15 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx : end

---------------------------------------

Please help to solve this problem or explain me what i have to do.

Reply to
ksbhatti
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.