From: Price, Jamie (JPrice@xxxxxxxxxxx)
Date: Sun Aug 12 2001 - 00:04:00 GMT-3
This part of the config concerns me:
> access-list 7 deny 20.20.20.20
> access-list 7 permit 20.0.0.0 0.255.255.255
You have explicitly denied your Outlook server from being able to use NAT.
Now admittedly it shouldn't matter because you have assigned a static IP to
that address......but that is later on in the config and therefore the deny
statement could be in some way overwriting things - especially if the
Outlook box in some way tries to initiate an outbound conversation as part
of the process. Stranger things have been known to happen in IOS.
I dunno - it may be worth a shot to remove the deny statement.
I may be wrong in my NAT configs but I never bother explicitly denying in my
NAT pool what I am assigning as a static further on, especially because 9
out of 10 times I have to revisit it and add statics at later dates, and I
haven't had any problems.
Also.......
This may not be what you're seeing but it's interesting nonetheless.
Some admins set up Outlook to use NT challenge/response for added security.
In that scenario you need to enter the domain name as well as the user name
for Outlook to work or you just wont get in.
For example - user "user1" in domain "domain" using password "password" has
to enter "user1" in the user field on the logon screen and then
"domain/user1" in the user field and "password" in the password field of the
logon box that pops up next.
If you don't do that and instead just use "user" instead of "domain/user"
when using NT challenge/response then you'll be prompted 3 times and then
get an unauthorized logon screen.
If they haven't set up Outlook to use NT challenge/response in this way then
the passwords are passed in clear text. Yuck!!!
Jamie
-----Original Message-----
From: Todd Veillette [mailto:tveillette@home.com]
Sent: Saturday, August 11, 2001 9:45 PM
To: 'Muhammed Omar'
Cc: 'Ccielab@Groupstudy. Com'
Subject: RE: OT: Outlook for Web Via 1605 Firewall
When you say they get the login screen, do you mean the default http
Web access page? If so, is the NT dns domain available in the domain window,
or via the drop down? If it is then it sees the domain so its probably a NT
issue not the router. Obviously if it doesn't effect all users then its NT
for sure.
HTH.
-TV
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Andrew Lennon
Sent: Saturday, August 11, 2001 9:11 PM
To: 'Jay Hennigan'; 'Muhammed Omar'
Cc: 'Ccielab@Groupstudy. Com'
Subject: RE: OT: Outlook for Web Via 1605 Firewall
Muhammed,
As a first step, you may want to try removing the access list to be sure
that is not causing the problem. Hopefully you can then diagnose further
from there. I have a router running with NAT and IPSec, but without the
FW which works fine with OWA.
Andy
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jay Hennigan
Sent: 12 August 2001 00:12
To: Muhammed Omar
Cc: Ccielab@Groupstudy. Com
Subject: Re: OT: Outlook for Web Via 1605 Firewall
On Sat, 11 Aug 2001, Muhammed Omar wrote:
> Hi guys
>
> I've setup a 1605 as a firewall (as below) to allow browsing, email &
also
> for remote users MS Outlook for Web Access. The problem is using a
browser
> users can't logon to Exchange 5.5 SP4 server (on Win2K server) for
email using
> port 80. The logon prompt is displayed but when a user types in name
password
> it does not log them in & does NOT give any error message. Any idea
what I'm
> missing. Is it permissions issue on Win2K?
Port 443 TCP for SSL, perhaps?
Try turning on logging on your deny statement in the ACL and see what's
getting captured. Just change the last line to:
access-list 112 deny ip any any log
and turn on term mon unless you're on console.
> hostname 1605
> !
> enable password c
> !
> ip subnet-zero
> !
> ip inspect name ethernetin cuseeme timeout 3600
> ip inspect name ethernetin ftp timeout 3600
> ip inspect name ethernetin h323 timeout 3600
> ip inspect name ethernetin http timeout 3600
> ip inspect name ethernetin rcmd timeout 3600
> ip inspect name ethernetin realaudio timeout 3600
> ip inspect name ethernetin smtp timeout 3600
> ip inspect name ethernetin sqlnet timeout 3600
> ip inspect name ethernetin streamworks timeout 3600
> ip inspect name ethernetin tcp timeout 3600
> ip inspect name ethernetin tftp timeout 30
> ip inspect name ethernetin udp timeout 15
> ip inspect name ethernetin vdolive timeout 3600
> !
> interface Ethernet0
> ip address 150.150.150.1 255.255.255.0
> ip access-group 112 in
> no ip directed-broadcast
> ip nat outside
>
> interface Ethernet1
> ip address 20.20.20.2 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> ip inspect ethernetin in
>
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> ip nat inside source list 7 interface Ethernet0 overload
> ip nat inside source static tcp 20.20.20.20 150.150.150.150
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 150.150.150.2
> !
> access-list 7 deny 20.20.20.20
> access-list 7 permit 20.0.0.0 0.255.255.255
> !
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255 unreachable
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo-reply
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255 packet-too-big
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255 time-exceeded
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255 traceroute
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255
> administratively-prohibited
> access-list 112 permit icmp any 150.150.150.0 0.0.0.255 echo
> access-list 112 permit tcp any www host 150.150.150.150 eq www
> access-list 112 permit tcp host 200.20.1.1 25 host 150.150.150.150 eq
25
> access-list 112 permit tcp host 150.150.150.2 host 150.150.150.1 eq
telnet
> access-list 112 deny ip 127.0.0.0 0.255.255.255 any
> access-list 112 deny ip any any
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:49 GMT-3