Cisco Firewall :: ASA5510 - Outlook Clients Disconnect From Public Exchange?
Apr 4, 2011
We have a setup where clients on the internal network send/receive their emails through Microsoft Outlook client, while the Exchange server is hosted on the internet, outside the organization.The clients are connected to a Cisco switch, behind an ASA5510 Firewall. The Firewall is connected to an internet router, with double NAT (On the ASA and Router).
the outlook clients disconnect from the Exchange server, sometimes for hours, and then reconnect again. During these disconnections, the same client PCs are able to browse the internet normally. There are no restrictions for the traffic going from the inside to the outside. During the disconnections, if we try to connect using a public IP bypassing the ASA & router,.
View 1 Replies
ADVERTISEMENT
Aug 15, 2011
We have a ASA 5510 which was running 8.0.2, we recently upgraded it to 8.2.5 and since the upgrade remote users for exchange 2007 are not able to download any large email attachments(over or close to 1MB). This is only happening to Outlook anywhere users or OWA users who are connecting to the exchange server using https(443) externally. If the same users connects internally they do not face any issue. When i check the logs on ASA i am gettings lots of RESET-O and RESET-I entries. Looks like the connection between the client and the server gets reset.
View 14 Replies
View Related
Aug 16, 2011
We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:
[URL]
I'm looking to do this with smtp so I added these lines to the config:
static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
The configuration line:access-group DMZ in interface DMZ Already existed in the configuration so didn't need to be re-entered.
ASA Version 8.0(4)
!
hostname xxxx
domain-name xxxx.com
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
[code]....
View 28 Replies
View Related
Aug 22, 2011
I can connect to Internet perfectly fine. I can even VPN back into my office. However, once connected via VPN and I launch my Outlook Client, I'm not able to connect to get emails. When I run a "netstat -a", I get my "SYN_SENT" to all my office domain controllers and exchange servers.However, if I connected via my Starhub USB Broadband dongle, everything works perfectly fine.What settings do I need to do on my router? I tried port forwarding and application rules but none worked.
View 4 Replies
View Related
Dec 26, 2011
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
View 2 Replies
View Related
Nov 1, 2012
My web server is out of public IPs. I requested more from my ISP and I got a different range with a different gateway. How do I handle the configuration on my Cisco ASA? Without any configuration changes to the firewall I saw the traffic hitting it and being blocked. I added an access rule to allow the traffic. I added a virtual interface on the ASA. I added a virtual interface on the web server. Using "Packet Tracer" the traffic flows from the outside interface to the new virtual interface. But I'm unable to access my web server and I don't see any traffic on that IP reaching the web server.Using Cisco ASA 5510.
View 8 Replies
View Related
Mar 6, 2013
I’ve been trying to figure out this for quite a while. I have a range of public IP addresses directly assigned on my dmz servers. The inside interface of ASA 5510 has one of those public IP addresses assigned (the default gateway for all dmz servers). Now I have a new range of public IPs that I also want to directly assign to new dmz servers. My goal is to have two distinct public IP ranges on dmz that should communicate between them. The inside ASA interface should be the default gateway for both networks.
View 1 Replies
View Related
Aug 3, 2012
We got an ASA5510 (8.2x) with an inside, guest and outside interface.On the guest interface, we have DHCP function on the ASA.On the outside, there is web-ssl vpn (dns hostname on a public isp-dns server) configured.
When an user on the guest net tries to get connected with the web-ssl dns-name, it resolves the public, outside interface-ip , the ASA dropps it.
I know, with static NAT it can be resolved url...but on this scenario, we are trying to build a connection from a guest inside IP to the public-ip form the outside ASA interface.If the guest users try an web-ssl connection on the guest-ASA IP, it works with a certificate error ( because there is no internal DNS on the guest net to resolve the dns name to the guest-interface IP).
So how can this be achieved? Can the ASA provide DNS server function? Can a NAT static entry (outside ip to interface guest) solve it? It's the only solution an inhouse DNS server in the guest-net?
View 2 Replies
View Related
Mar 10, 2011
we have two Cisco ASA 5510 in failover configuration.We tried to change the public IP address on the Outside interface of the primary device but it didn't works. The new IP is not reachable from Internet nor pingable from device on the same LAN.The new IP address is in the same subnet of the old IP.
From the switch on which the ASA is connected and from another Cisco PIX we can see the ARP entry. In the analysis, on the old public IP address there was a VPN site-to-site and Webvpn defined.We tried also to shut/no shut the interface and reboot the device.
View 1 Replies
View Related
Jul 31, 2012
I have run out of public facing IP addresses and I need more. Assuming I have been issued 1.1.1.0/24 and my new/additional range/subnet issued is 2.2.2/0/24 - Can I carry on with the same configuration on my ASA5510 and just add static NAT for new services in the 2.2.2.0/24 range.
i.e.existing config
route 0.0.0.0 0.0.0.0 1.1.1.254 (upstream ISP)
Interface outside ip address 1.1.1.1 255.255.255.0
NAT 2.2.2.1 to 10.1.2.3
or, assume my ISP will deliver 2.2.2.1 to my outside interface (1.1.1.1.1/24) and if my NAT is in place it will get delivered to 10.1.2.3 inside.
or, put another way I dont need change my set-up as I just static route to my ISP!
my real public IP is a /27 can I use my broadcast address (its a legit public IP address)?
i.e 1.2.3.0/27 = 1.2.3.1 to 1.2.3.31
Outside interface = 1.2.3.1/27
Can I use 1.2.3.31 and NAT it to an internal server?
View 3 Replies
View Related
Sep 21, 2011
I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. This same tunnel had NO issues prior to the 8.2.4 upgrade.
I thought about trying to disable "inspect FTP,. I am running FTP passive mode on the ASA so I don't believe "inspect FTP" is required.
View 2 Replies
View Related
Sep 6, 2012
Just installed ASA -5505 replaced cisco 851
My exchange server hosts remote outlook clients and remote web access
no one on the remote side can access my exchange server
internal mail flows in bound and out bound.
My iphone can not access the exchange server either.
When the Cisco 851 was online all the above worked great. Nothing changed on the remote client side just put the ASA 5505 in service.
I am new to the ASSA 5505 family. Had a reseller configure the router but unable to get them at this hour. Called Cisco support but they are closed at this time also.
View 5 Replies
View Related
Dec 6, 2011
The environment: 20 X air-ap1141N-A-K9 (these are standalone) in three different buildings with either 1 or 2 units per floor depending on sq. footage. IOS is c1140-k9w7-tar.124-25d.JA1.
Problem Users running various tpyes of wireless cards on windows XP SP3 get disconnected periodically throughout the day whether they roam or not. This disconnect problem started happening after we replaced older 1200 series units running wpa and tkip and replaced with 1141n running wpa2 with aes. Users running windows 7 do not get disconnected. However there are very few W7 users on campus as this point in time.
I set up a single test unit shown below and associated two laptops to see if they would disconnect. Not once did I lose connectivity. NAME: "AP1210", DESCR: "Cisco Aironet 1200 Series Access Point"PID: AIR-AP1252G-A-K9 , VID: V03, SN: FTX1339903J NAME: "Dot11Radio0", DESCR: "802.11N 2.4Ghz Radio"PID: AIR-RM1252G-A-K9 , VID: V01, SN: FOC1337107F IOS: c1250-k9w7-tar.124-10b.JDA3
View 13 Replies
View Related
Jan 22, 2013
I have a WLC 5508 in my datacenter, and 1142s configured with FlexConnect at a remote site.Two issues:Some APs 'die' from time to time where I cannot ping them anymore and they do not service any clients. I can reset them from the WLC after which they work again. I have some clients in the building (same area) who lose connectivity from time to time and are unable to reconnect to the wireless. I am seeing errors that the gateway cannot be found or there is not a valid IP. restarting the AP closest to the clients fixes the issue. I have replaced the AP and connected to a different port on the switch.
View 6 Replies
View Related
May 5, 2013
We have an asa5510 running as an SSL VPN gateway using one public IP address (e.g. 1.1.1.1) as the target IP address for the users.
Now we need to run a 2nd public IP address on the same asa5510 as target IP address for a different set of users, e.g. 2.2.2.2.
NAT is not working, secondary IP address is not possible, sub-interface is not the right way. Is this really not possible?
View 1 Replies
View Related
Feb 29, 2012
I have a strange issue on my ASA 5510 (8.4). I can't ping or connect to the VPN clients but the VPN clients can ping/connect to any inside resources. I have checked all the NAT extemtion entries.
View 3 Replies
View Related
Apr 30, 2013
I have two ASA5510 each with a security plus license and 10 SSL VPN licenses, in active/standby mode at version 8.4(4)1. It only allows up to two vpn clients (AnyConnect & SSL VPN) at a time, any extra vpn client would receieve "Login Failed" message.
View 2 Replies
View Related
Nov 16, 2011
I have some users from another company who are visiting my company. The use outlook to access their mail. I think it is via RPC over https (ssl). When there are on my network they are unable to send messages but when the connect to an ISP directly they are able to send. I have a cisco 2821 as my internet router and an ASA5505 (8.0.5...i downgraded it from 8.2.3) as my firewall. I have not blocked anything from going out. Of note is that when other users use window live configured for gmail....which uses tls they are unable to send emails with atachements. Regular emails go though no problem. Hotmail can send atachments without a problem (there is no encrytion there). I have narrowed the issue down to how the firewall treats esmtp or tls traffic passing though it. I have already diabled inspect esmtp on the firewall.
View 2 Replies
View Related
Jul 10, 2011
i have an ASA 5520 8.4(1) setup as follows
public wan
|
|
ASA-- public dmz
|
|
private lan
i need to allow https traffic to a server in the DMZ that will have a routable IP address will just an ACL suffice ?which interface do i apply it to ? wan or dmz ?i dont need a NAT since the DMZ is a routable space?
View 6 Replies
View Related
May 17, 2013
internet is working with the client except for gmail account using outlook 2010.
View 1 Replies
View Related
May 29, 2013
I am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version
Cisco Adaptive Security Appliance Software Version 8.6(1)10
Device Manager Version 7.1(2)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
lbjinetfw# config t
lbjinetfw(config)# ssh
[code]....
View 3 Replies
View Related
Apr 25, 2011
I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
View 2 Replies
View Related
Nov 7, 2012
i have exchange with NLB cluster.
i want to PAT the cluster ip to access email from outside. i know i can add the static arp entry for multicast cluster ip.
my question is i can add static nat command to that same cluster ip for port 25 and 443 like normal way like we do for normal PAT?
View 2 Replies
View Related
Feb 26, 2013
We have the following setup on our Cisco ASA version 8.6.1 One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover. So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
View 4 Replies
View Related
Jun 3, 2012
In Cisco ASA 5510 , outlook port only permit ( pop3 995/smtp :587) with TLS encryption. How we can do it thru ASDM .
View 1 Replies
View Related
Jun 15, 2011
I have the following scenario.
INET
(205.50.50.1)
|
|
(205.50.50.2)
[CISCO ASA 5540]
(10.10.10.1)
|
|
+ ---------------------------------------------+
(10.10.10.2) (10.10.10.3)
[BARRACUDA] [Exchange SRV]
Mail Domain: mail.domain.com (205.50.50.50)
Ok so the mail flows to the Barracuda using a static 1:1 NAT configuration and then gets delivered from the Barracuda to the Exchange server. I want to implement active sync (Direct Push) for Windows mobile devices. They need to communicate with mail.domain.com over port 443. The problem is I want mail to continue to flow to the Barracuda, but direct Direct Push traffic to the Exchange server.I cnow I can't implement two 1:1 NAT mappings from the same external hostname to 2 different servers.
View 3 Replies
View Related
Jan 17, 2012
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. [code]
View 1 Replies
View Related
Jun 26, 2012
I am trying to port forwarding Exchange 2010 OWA using ASA5505, wherever I used object NAT or Twice NAT it just doesn't work.... here is my config:
access-list outside-access remark "Exchange Server Access Rules"
access-list outside-access extended permit tcp any host <public x.x.x.11> eq smtp
access-list outside-access extended permit tcp any host <public x.x.x.11> eq https
[code]...
note that i use public ip <public x.x.x.9> on the outside interface for PAT, so all hosts in the same private can access internet
View 1 Replies
View Related
Nov 29, 2011
Our ASA 5510 has been in place for nearly two years, we never have any issue what so ever with it. All along the ASA has been using the default policy. Lately, we beeen getting email deferred in our Barracuda Spam firewall. Google quickly reveals that ESMTP does not play nice with Barracuda witch i disabled eventhough we haven't had any issue with it before. However, the issue remains, we still getting email deferred in the barracuda.
While doing more troubleshooting on the ASA, I constated when issue the command show local-host + IP of the Barracuda, there is an IP address in outside of the interface that can get up to 96 UDP port 53 connections with the Barracuda, this connection never get lower than 20! However, when checking the default setup for the Barracuda, i have the values below:
Incoming SMTP Timeout: 20
Message per SMTP Session : 8
Maximum SMTP Error SMTP Session: 2
Maximum Connection per Client 30m:40
My question is if that ASA show up to 96 DNS session with an outside host to my barracuda, won't that push the barracuda to play email deferred timeout ? Should I change the barracuda default setting? Or should i change the connections limits for the Barracuda in the ASA?
View 3 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
May 8, 2012
I know that I've run into this before but I can't remember the fix. I have a 5510. The 3 interfaces involved are INSIDE, OUTSIDE, and GUEST. Corporate users are allowed to put their iPhones on the Guest network, but the problem is that their Exchange ActiveSync stops working. It is tied to the external DNS name of the OWA server (we'll say webmail.abc.com). So the users are funneled out one public IP on the OUTSIDE interface and are trying to communicate with the outside of the OWA server, which is NATed to another public IP on the same outside interface. What do I need to do on the ASA to allow users on the guest network (behind the GUEST interface) to access the mail server using its public IP (behind the INSIDE interface)
View 1 Replies
View Related
Jul 23, 2011
I picked up a rather nasty bit of malware which resulted in a format and installation of Windows Ultimate 64, all well now except i cant get the wireless to work, downloaded assorted drivers from the dell support directory but to no avail, so questions are-:am i missing something obvious (windows function button for wireless does nothing)what is the correct driver for the N5040 and are there any tricks in getting it to work.
View 1 Replies
View Related
Dec 27, 2011
Is there any way to access a MS Exchange Server 2007 on Windows server 2008 through an ASA 5510 running 8.4 with a full MS Outlook client (not using OWA - web browser)? OWA is currently working fine but I was wondering if access via the full Outlook client is possible and more importantly...is it opening up too many ports on my 5510?
View 1 Replies
View Related
