From: Chuck Church (cchurch@xxxxxxxxxxxx)
Date: Sun Aug 12 2001 - 00:04:20 GMT-3
Muhammed,
The problem is your access list. You're only allowing clients to use TCP
80 as a source port. Once the handshake occurs, the client will go to a
high port. Try this at home: Browse to a web page, and immediately run
netstat -n in a DOS window. You should see your workstation using a high
port.
Chuck
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Muhammed Omar
Sent: Saturday, August 11, 2001 4:50 PM
To: Ccielab@Groupstudy. Com
Subject: OT: Outlook for Web Via 1605 Firewall
Hi guys
I've setup a 1605 as a firewall (as below) to allow browsing, email & also
for remote users MS Outlook for Web Access. The problem is using a browser
users can't logon to Exchange 5.5 SP4 server (on Win2K server) for email
using
port 80. The logon prompt is displayed but when a user types in name
password
it does not log them in & does NOT give any error message. Any idea what I'm
missing. Is it permissions issue on Win2K?
hostname 1605
!
enable password c
!
ip subnet-zero
!
ip inspect name ethernetin cuseeme timeout 3600
ip inspect name ethernetin ftp timeout 3600
ip inspect name ethernetin h323 timeout 3600
ip inspect name ethernetin http timeout 3600
ip inspect name ethernetin rcmd timeout 3600
ip inspect name ethernetin realaudio timeout 3600
ip inspect name ethernetin smtp timeout 3600
ip inspect name ethernetin sqlnet timeout 3600
ip inspect name ethernetin streamworks timeout 3600
ip inspect name ethernetin tcp timeout 3600
ip inspect name ethernetin tftp timeout 30
ip inspect name ethernetin udp timeout 15
ip inspect name ethernetin vdolive timeout 3600
!
!
interface Ethernet0
ip address 150.150.150.1 255.255.255.0
ip access-group 112 in
no ip directed-broadcast
ip nat outside
interface Ethernet1
ip address 20.20.20.2 255.255.255.0
no ip directed-broadcast
ip nat inside
ip inspect ethernetin in
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip nat inside source list 7 interface Ethernet0 overload
ip nat inside source static tcp 20.20.20.20 150.150.150.150
!
ip classless
ip route 0.0.0.0 0.0.0.0 150.150.150.2
!
access-list 7 deny 20.20.20.20
access-list 7 permit 20.0.0.0 0.255.255.255
!
access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
access-list 112 permit icmp any 150.150.150.0 0.0.0.255
administratively-prohibited
access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
access-list 112 permit tcp any www host 150.150.150.150 eq www
access-list 112 permit tcp host 200.20.1.1 25 host 150.150.150.150 eq 25
access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq telnet
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 deny ip any any
!
line con 0
transport input none
line vty 0 4
password c
login
!
end
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3