1. Home
  2. Cisco Systems
  3. SSL for OWA

SSL for OWA

Hi,

I am trying to configure one of our customer'sPIX firewall's to allow SSL OWA (they are currently using http, not https). For some reason the commands we have added to other customers PIX firewalls aren't working to accomplish this.

I know the first thing you will all suggest is going to be to upgrade the IOS (we are on version 6.3(1)), but this is not an option at this point. We can only make configuration changes on this PIX that won't interfere with anything else or could break anything.

Does anyone know what changes I can make to this PIX to allow SSL OWA traffic? By the way, ssl is working internally.

Here is the current config:

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xx.xx.xx.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xx.xx.xx.35smtp 192.168.1.19 smtp netmask 255.255. 255.255 0 0 static (inside,outside) tcp xx.xx.xx.35https 192.168.1.19 https netmask

255.25

5.255.255 0 0 static (inside,outside) tcp xx.xx.xx.35www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xx.xx.xx.35domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) xx.xx.xx.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.40 172.16.100.34 netmask 255.255.255.255 0 0 conduit permit tcp any eq 8060 host yy.yy.yy.11 conduit permit tcp any eq 9000 host yy.yy.yy.33 conduit permit tcp any eq 1040 host yy.yy.yy.61 conduit permit tcp host xx.xx.xx.35eq smtp any conduit permit tcp host xx.xx.xx.35eq www any conduit permit tcp host xx.xx.xx.35eq https any conduit permit ip host xx.xx.xx.45 host 66.207.66.14 conduit permit icmp any any echo-reply conduit permit tcp host xx.xx.xx.40 eq citrix-ica any conduit permit udp host xx.xx.xx.40 eq 1604 any conduit permit tcp host xx.xx.xx.35 eq domain any route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address KirkResidence crypto map newmap 20 set peer xx.xx.xx.50 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.50 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400
Reply to
Exclusive
Loading thread data ...

Hi,

I am trying to configure one of our customer'sPIX firewall's to allow SSL OWA (they are currently using http, not https). For some reason the commands we have added to other customers PIX firewalls aren't working to accomplish this.

I know the first thing you will all suggest is going to be to upgrade the IOS (we are on version 6.3(1)), but this is not an option at this point. We can only make configuration changes on this PIX that won't interfere with anything else or could break anything.

Does anyone know what changes I can make to this PIX to allow SSL OWA traffic? By the way, ssl is working internally.

Here is the current config:

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xx.xx.xx.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xx.xx.xx.35smtp 192.168.1.19 smtp netmask 255.255. 255.255 0 0 static (inside,outside) tcp xx.xx.xx.35https 192.168.1.19 https netmask

255.25

5.255.255 0 0 static (inside,outside) tcp xx.xx.xx.35www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xx.xx.xx.35domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) xx.xx.xx.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.40 172.16.100.34 netmask 255.255.255.255 0 0 conduit permit tcp any eq 8060 host yy.yy.yy.11 conduit permit tcp any eq 9000 host yy.yy.yy.33 conduit permit tcp any eq 1040 host yy.yy.yy.61 conduit permit tcp host xx.xx.xx.35eq smtp any conduit permit tcp host xx.xx.xx.35eq www any conduit permit tcp host xx.xx.xx.35eq https any conduit permit ip host xx.xx.xx.45 host 66.207.66.14 conduit permit icmp any any echo-reply conduit permit tcp host xx.xx.xx.40 eq citrix-ica any conduit permit udp host xx.xx.xx.40 eq 1604 any conduit permit tcp host xx.xx.xx.35 eq domain any route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address KirkResidence crypto map newmap 20 set peer xx.xx.xx.50 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.50 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400
Reply to
Exclusive

Hi,

I am trying to configure one of our customer'sPIX firewall's to allow SSL OWA (they are currently using http, not https). For some reason the commands we have added to other customers PIX firewalls aren't working to accomplish this.

I know the first thing you will all suggest is going to be to upgrade the IOS (we are on version 6.3(1)), but this is not an option at this point. We can only make configuration changes on this PIX that won't interfere with anything else or could break anything.

Does anyone know what changes I can make to this PIX to allow SSL OWA traffic? By the way, ssl is working internally.

Here is the current config:

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xx.xx.xx.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xx.xx.xx.35smtp 192.168.1.19 smtp netmask 255.255. 255.255 0 0 static (inside,outside) tcp xx.xx.xx.35https 192.168.1.19 https netmask

255.25

5.255.255 0 0 static (inside,outside) tcp xx.xx.xx.35www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xx.xx.xx.35domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) xx.xx.xx.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.40 172.16.100.34 netmask 255.255.255.255 0 0 conduit permit tcp any eq 8060 host yy.yy.yy.11 conduit permit tcp any eq 9000 host yy.yy.yy.33 conduit permit tcp any eq 1040 host yy.yy.yy.61 conduit permit tcp host xx.xx.xx.35eq smtp any conduit permit tcp host xx.xx.xx.35eq www any conduit permit tcp host xx.xx.xx.35eq https any conduit permit ip host xx.xx.xx.45 host 66.207.66.14 conduit permit icmp any any echo-reply conduit permit tcp host xx.xx.xx.40 eq citrix-ica any conduit permit udp host xx.xx.xx.40 eq 1604 any conduit permit tcp host xx.xx.xx.35 eq domain any route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address KirkResidence crypto map newmap 20 set peer xx.xx.xx.50 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.50 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400
Reply to
Exclusive

Need the IP's of the OWA server to help.

Reply to
Brian V

the IP of the OWA server ie 192.168.1.19

thanks,

Reply to
Exclusive

Hi,

I am trying to configure one of our customer'sPIX firewall's to allow SSL OWA (they are currently using http, not https). For some reason the commands we have added to other customers PIX firewalls aren't working to accomplish this.

I know the first thing you will all suggest is going to be to upgrade the IOS (we are on version 6.3(1)), but this is not an option at this point. We can only make configuration changes on this PIX that won't interfere with anything else or could break anything.

Does anyone know what changes I can make to this PIX to allow SSL OWA traffic? By the way, ssl is working internally.

Here is the current config:

PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xx.xx.xx.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xx.xx.xx.35smtp 192.168.1.19 smtp netmask 255.255. 255.255 0 0 static (inside,outside) tcp xx.xx.xx.35https 192.168.1.19 https netmask

255.25

5.255.255 0 0 static (inside,outside) tcp xx.xx.xx.35www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xx.xx.xx.35domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) xx.xx.xx.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.40 172.16.100.34 netmask 255.255.255.255 0 0 conduit permit tcp any eq 8060 host yy.yy.yy.11 conduit permit tcp any eq 9000 host yy.yy.yy.33 conduit permit tcp any eq 1040 host yy.yy.yy.61 conduit permit tcp host xx.xx.xx.35eq smtp any conduit permit tcp host xx.xx.xx.35eq www any conduit permit tcp host xx.xx.xx.35eq https any conduit permit ip host xx.xx.xx.45 host 66.207.66.14 conduit permit icmp any any echo-reply conduit permit tcp host xx.xx.xx.40 eq citrix-ica any conduit permit udp host xx.xx.xx.40 eq 1604 any conduit permit tcp host xx.xx.xx.35 eq domain any route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address KirkResidence crypto map newmap 20 set peer xx.xx.xx.50 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xx.xx.xx.50 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400

Please do not snip out the post, we need it to be able to help you.

1, You need to get rid of the conduits. Conduits have been replaced by ACL's way back in version 5. This will not cause any downtime. Build the ACL, apply it then remove the conduits. There are many bugs related to them and it is possible you are running in to one. 2, Config looks fine, the PAT looks good, the Conduit is also good. Only leaves us with a bug and a misconfiuration of the server. 3, You REALLY need to upgrade that software. Downtime is all of 20seconds if on the console, 30seconds if doing it remotely.
Reply to
Brian V

Brian thanks for your help!

I got permission to replace conduit commands with ACL. But I'm still not able to access OWA through SSL from outside. When I try from inside it works.

This is my configuration now:

interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password vAzMma1Gux3.wkTP encrypted passwd lwJM7e5kzPHBQwNf encrypted hostname TSPIX fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.25 5.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255 .255.0 access-list KirkResidence permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.2 55.255.0 access-list out_in permit tcp any any eq smtp access-list out_in permit tcp any any eq domain access-list out_in permit tcp any any eq https access-list out_in permit tcp any any eq www access-list out_in permit tcp host xxx.yy.97.40 any eq citrix-ica access-list out_in permit udp host xxx.yy.97.40 any eq 1604 access-list out_in permit tcp any host zz.yy.176.11 eq 8060 access-list out_in permit tcp any host zz.yy.176.33 eq 9000 access-list out_in permit tcp any host zz.yy.176.61 eq 1040 access-list out_in permit tcp any host zz.yy.178.2 eq 1007 access-list out_in permit tcp any host zz.yy.178.2 eq 2007 access-list out_in permit tcp host xxx.yy.97.45 host 66.207.66.14 pager lines 24 logging on logging trap notifications logging history notifications logging facility 0 logging host inside 192.168.1.13 mtu outside 1500 mtu inside 1500 ip address outside xxx.yy.97.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xxx.yy.97.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) tcp xxx.yy.97.35 www 192.168.1.19 www netmask 255.255.2 55.255 0 0 static (inside,outside) tcp xxx.yy.97.35 smtp 192.168.1.19 smtp netmask

255.255 .255.255 0 0 static (inside,outside) tcp xxx.yy.97.35 domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) udp xxx.yy.97.35 domain 192.168.1.19 domain netmask 255 .255.255.255 0 0 static (inside,outside) tcp xxx.yy.97.35 https 192.168.1.19 https netmask 255.2

55.255.255 0 0 static (inside,outside) xxx.yy.97.37 192.168.1.20 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.45 192.168.1.84 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.39 172.16.100.25 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.46 172.16.100.30 netmask 255.255.255.255 0 0 static (inside,outside) xxx.yy.97.40 172.16.100.34 netmask 255.255.255.255 0 0 access-group out_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.yy.97.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address KirkResidence crypto map newmap 20 set peer xxx.yy.97.50 crypto map newmap 20 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xxx.yy.97.50 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400 vpngroup ZA address-pool clientpool vpngroup ZA dns-server 192.168.1.10 vpngroup ZA wins-server 192.168.1.10 vpngroup ZA default-domain XXX.com vpngroup ZA split-tunnel bypassingnat
Reply to
Exclusive

Hi there,

Good job, but need to tighten up that ACL a bit, lock it down to the host.

Example: access-list out_in permit tcp any any eq smtp should be: access-list out_in permit tcp any host *.*.97.35 eq smtp (replace the *'s with the real numbers)

Add the tightened statements then remove the old ACL statements. Unlike a router, with the Pix you can remove one line at at time, ie "no access-list out_in permit tcp any any eq smtp" Again, like before there will be no downtime when you do this.

There is no problems with your config on the firewall that I can see that would be stopping the https, it has to be a server configuration issue at this point. Most likley a permisions issue since it works from inside. I'd review the IIS permisions on the local machine, make sure it is not locked down to the local subnet. I suppose it could also be being filtered somewhere along the path, but not knowing the real public IP of the server I can't trace to it on 443.

-Brian

Reply to
Brian V

I try all that but I still cant get it working. I'll continue research for this. Anyway thanks for all usefull advices!

Reply to
Exclusive

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.