Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

Similar Messages

• How to Configure Cisco ASA 5512 for multiple public IP interfaces

  Hi
  I have a new ASA 5512 that I would like to configure for multiple public IP support.  My problem may be basic but I am an occasional router admin and don't touch this stuff enough to retain everything I have learned.
  Here is my concept.    We have a very basic network setup using three different ISPs that are currently running with cheap routers for internet access.  We use these networks to open up access for Sales to demo different products that use a lot of bandwidth (why we have three)
  I wanted to use the 5512 to consolidate the ISPs so we are using one router to manage the connections.  I have installed an add on license that allows multiple outside interfaces along with a number of other features.
  Outside Networks (I've changed the IPs for security purposes)
  Outside1 E 0/0 : 74.55.55.210  255.255.255.240 gateway 74.55.55.222
  Outside2 E 0/2: 50.241.134.220 255.255.248 gateway 50.241.134.222
  Inside1 : E 0/1 192.168.255.1 255.255.248.0
  Inside2 : E 0/3 172.16.255.1 255.255.248.0
  My goal is to have Inside 1 route all internet traffic using Outside1 and Inside 2 to use Outside2.    The problem is I can't seem to do this. I can get inside 1 to use outside 1 but Inside2 uses Outside 1 as well.
  I tried adding static routes on Outside2 to have all 172.16.248.0/21 traffic use gateway 50.241.134.222 but that doesn't seem to work.   
  I can post my config up as needed.  I am not well versed in Cisco CLI, I've been using the ASDM 7.1 app.  My ASA 5512 is at 9.1.   
  Thanks in advance for the suggestions/help

  I have been away for a while and am just getting caught up on some posts. so my apology for a delayed response.
  I find the response very puzzling. It begins by proclaiming that to achieve the objective we must use Policy Based Routing. But then in the suggested configuration there is no PBR. What it gives us is two OSPF processes using one process for each of the public address ranges and with some strange distribute list which uses a route map. I am not clear what exactly it is that this should accomplish and do not see how it contributes to having one group of users use one specific ISP and the other group of users use the other ISP>
  To the original poster
  It seems to me that you have chosen the wrong device to implement the edge function of your network. The ASA is a good firewall and it does some routing things. But fundamentally it is not a router. And to achieve what you want were a group of users will use a specified ISP and the other group of users will use the other ISP you really need a router. You want to control outbound traffic based on the source of the traffic, and that is a classic situation where PBR is the ideal solution. But the ASA does not do PBR.
  HTH
  Rick

• Configuring Cisco/IronPort plugin for Outlook with CRES

  With the discontinuation of the IronPort IEA appliances we are getting ready to move from our on-premise IEA appliances to CRES.  I have a demo key for Encryption that I am running on my C660s and I have an Outlook client configured with the Email Security Plug-In version 7.2.0.39.  Currently the Outlook Plug in is configured to point to our on premise IEA appliances for the Server URL attribute in Desktop Encryption Options and is working great.
  My question is, what do I use to connect it to CRES for desktop encryption?
  The Admin guide "Cisco IronPort Email Security Plug-in 7.2 Administrator Guide" page 4-46 just says "Server URL Enter the URL for your  Encryption server."
  Thanks

  Hi Jason,
  Thanks for your question.  The short answer is https://res.cisco.com:443 HOWEVER please note the following two points.  First, you will need a CRES account, so that you can download a token to use with the plugin, to authenticate to CRES; you cannot use the default token which you have probably been using with your IEA.  Second, using the current Outlook plug-in version 7.2 with CRES is not supported; it works, but it is not supported.  There are plans to release a supported version.

• How to configure CISCO ASA 5510 for internal remote desktop ?

  Helo,I have a client that want to install new ASA (5510) in their network.
  and then I did some experiment to implement it. the topology is like this :
  --------configuration---------
  2800 router :
  interface FastEthernet0/0
  ip address 172.16.1.1 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.11.3 255.255.255.0
  duplex auto
  speed auto
  ip route 192.168.12.0 255.255.255.0 172.16.1.2
  1841 router :
  interface FastEthernet0/0
  ip address 172.16.1.2 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.12.1 255.255.255.0
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 172.16.1.1
  ASA 5510 :
  : Saved
  : Written by enable_15 at 19:21:31.639 UTC Mon Sep 13 2010
  ASA Version 8.2(1)
  hostname ciscoasa
  enable password **** encrypted
  passwd ***** encrypted
  names
  name 192.168.12.0 Branch
  dns-guard
  interface Ethernet0/0
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 192.168.11.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  management-only
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 Branch 255.255.255.0
  access-list inside_access_in extended permit ip 192.168.11.0 255.255.255.0 any
  access-list inside_access_in extended permit ip Branch 255.255.255.0 192.168.11.0 255.255.255.0
  tcp-map mssmap
    synack-data allow
    invalid-ack allow
    seq-past-window allow
    urgent-flag allow
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  asdm location Branch 255.255.255.0 inside
  no asdm history enable
  arp timeout 14400
  static (inside,inside) 192.168.11.2 192.168.11.2 netmask 255.255.255.255
  static (inside,inside) 192.168.12.2 192.168.12.2 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  route inside Branch 255.255.255.0 172.16.1.1 1
  timeout xlate 3:00:00
  timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ***** password ***** encrypted
  class-map mymap
  match access-list inside_access_in
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  policy-map myPolicy
  class mymap
    set connection advanced-options mssmap
  service-policy global_policy global
  service-policy myPolicy interface inside
  prompt hostname context
  Cryptochecksum:a605d94f29924e5267644dd0f4476145
  : end
  I can successfully ping from host 192.168.12.2 to 192.168.11.2, but I can't do remote desktop from those host.
  then I use wireshark to capture packet in my computer and it says that TCP ACKed Lost Segment.
  "1373","164.538081","192.168.11.2","192.168.12.2","TCP","47785 > ms-wbt-server [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2"
  "1374","164.538993","192.168.12.2","192.168.11.2","TCP","[TCP ACKed lost segment] ms-wbt-server > 47785 [RST, ACK] Seq=1 Ack=1407706213 Win=0 Len=0"
  I can guarantee that both computers are remote desktop enabled and all firewall have been disabled.
  please help, any suggest would be great .
  thanks .
  sincerley yours
  -IAN WIJAYA-

  ear Ian_benderaz,
  Thank god i am not alone on this ,
  Me too having the exact same problem , i can ping to the host ,but no remote desktop .
  Somebody please help me on this , how enable remote desktop on asa 5505 
  Thanks 

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem

  Hi,
  i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
  I have installed 50 Site-to-Site VPN tunnels, and they work fine.
  but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
  it happens when there is no TRAFIC on, i suspect.
  in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
  this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
  in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
  i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
  Any idea?
  Thanks,
  Daniel

  What is the lifetime value configured for in your crypto policies?
  For example:
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400

• Command to View LDAP Password on Cisco ASA 5520

  Hello
  I am migrating from a Cisco ASA 5520 (ASA version 8.4(6)5 to a Cisco ASA 5585. We have LDAP issues logging into to our vpn client software. I assume the LDAP password may be incorrectly entered on the new 5585. No service password- encryption or more running:config won't show the encrypted LDAP password. What is the command to view that?
  Thanks!
  Matt

  Thankyou Jennifer for the responds.
  Could you please help me on how to enable "memberOf" attribute on AD to be pushed to ASA for the OU matching.
  i have already set the "Remote Dialin" property of user account name "testvendor" in AD as "Allow Access" .It can be shown in the debug output as below.
  [454095] sAMAccountName: value = testvendor
  [454095] sAMAccountType: value = 805306368
  [454095] userPrincipalName: value = [email protected]
  [454095] objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=abc,DC=local
  [454095] msNPAllowDialin: value = TRUE
  [454095] dSCorePropagationData: value = 20111026081253.0Z
  [454095] dSCorePropagationData: value = 20111026080938.0Z
  [454095] dSCorePropagationData: value = 16010101000417.0Z
  Is their any other settings that i need to do it on AD ?
  Kindly advice
  Regards
  Shiji

• Cisco ASA 5520 Failover with DMZ

  I have a pair of Cisco ASA 5520s running as a primary/standby. Everything is working properly with the primary ASA, however when I trigger a failover, everything works except for the DMZ interface on the standby ASA. I've poured over the configs, but perhaps I have been staring at them too long because I am just not seeing anything.
  Below is the output of the sh run failover, sh failover, and sh run interface commands for each unit...
  PRIMARY ASA
  Primary-ASA# sh run failover
  failover
  failover lan unit primary
  failover lan interface stateful1 GigabitEthernet0/3
  failover key *****
  failover link stateful1 GigabitEthernet0/3
  failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
  Primary-ASA# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 20:39:23 CDT Sep 3 2013
  This host: Primary - Active
  Active time: 69648 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
       Interface outside (184.61.38.254): Normal
       Interface inside (192.168.218.252): Normal
       Interface dmz (192.168.215.254): Normal (Waiting)
       Interface management (192.168.1.1): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Other host: Secondary - Standby Ready
  Active time: 2119 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.253): Normal
  Interface inside (192.168.218.253): Normal
  Interface dmz (192.168.215.252): Normal (Waiting)
  Interface management (192.168.1.2): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
  IPS, 6.0(3)E1, Up
  Primary-ASA# sh run interface
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
  ospf cost 10
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
  ospf cost 10
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
  ospf cost 10
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  ospf cost 10
  management-only
  STANDBY ASA
  Standby-ASA# sh run failover
  failover
  failover lan unit secondary
  failover lan interface stateful1 GigabitEthernet0/3
  failover key *****
  failover link stateful1 GigabitEthernet0/3
  failover interface ip stateful1 192.168.216.1 255.255.255.0 standby 192.168.216.2
  Standby-ASA# sh failover
  Failover On
  Failover unit Secondary
  Failover LAN Interface: stateful1 GigabitEthernet0/3 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 160 maximum
  Version: Ours 8.2(5), Mate 8.2(5)
  Last Failover at: 20:39:23 CDT Sep 3 2013
  This host: Secondary - Standby Ready
  Active time: 2119 (sec)
  slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.253): Normal
  Interface inside (192.168.218.253): Normal
  Interface dmz (192.168.215.252): Normal (Waiting)
  Interface management (192.168.1.2): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Other host: Primary - Active
  Active time: 70110 (sec)
        slot 0: ASA5520 hw/sw rev (2.0/8.2(5)) status (Up Sys)
  Interface outside (184.61.38.254): Normal
  Interface inside (192.168.218.252): Normal
  Interface dmz (192.168.215.254): Normal (Waiting)
  Interface management (192.168.1.1): Normal (Not-Monitored)
  slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
       IPS, 6.0(3)E1, Up
  Standby-ASA# sh run interface
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 184.61.38.254 255.255.255.128 standby 184.61.38.253
  ospf cost 10
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.218.252 255.255.255.0 standby 192.168.218.253
  ospf cost 10
  interface GigabitEthernet0/2
  nameif dmz
  security-level 50
  ip address 192.168.215.254 255.255.255.0 standby 192.168.215.252
  ospf cost 10
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
  ospf cost 10
  management-only
  Does anyone see something I might be missing? I am at a loss...

  I'll just answer my own question...the configs are correct, but it the interface on the standby ASA was plugged into an improperly configured switchport. That'll do it everytime.

• Cisco ASA 5520 Crashinfo

  I have cisco asa 5520 firewall in production sudenly yetserday firewall was reboted and crashinfo file was genetrated(check with command show crashinfo)
  But unable to undersatand the terms
  I want to know below thing regarding crashinfo
  1) In asa where crashinfo file stores and file name(please share commnad for checking)
  2) How to copy file from device to machine
  3) How to read that file(any tool any software)

  The crashinfo file ("show crashinfo") is plain text and along with the memory register contents there is a whole long list of other information - running-configuration, interface status and counters, etc. So you can look at it in any text editor or even on the ASA console itself.
  As far as learning from it directly, there is plenty to learn and use without knowing the most detailed possible level of debug information.
  If you want to see some of the tools that are available (and may include some of the crashinfo data), I'd recommend to you a Cisco Live presentation like BRKSEC-3020. You can download that and any other Cisco Live presentations here with a free registration.

• Cisco ASA 5520 traffic between interfaces

  Hello,
  I am new in the Cisco world , learning how everything goes. I have a Cisco ASA 5520 firewall that i am trying to configure, but i am stumped. Traffic does not pass trough interfaces ( i tried ping ) , although packet tracer shows everything as ok. I have attached the running config and the packet tracer. The ip's i am using in the tracer are actual hosts.
  ciscoasa# ping esx_management 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  ciscoasa# ping home_network 192.168.10.100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Thank you in advance.

  Hi,
  Is this just a testing setup? I would suggest changing "internet" interface to "security-level 0" (just for the sake of identifying its an external interface) and not allowing all traffic from there.
  I am not sure what your "packet-tracer" is testing. If you wanted to test ICMP Echo it would be
  packet-tracer input home_network icmp 10.192.5.5 8 0 255 192.168.10.100
  I see that you have not configured any NAT on the ASA unit. In the newer ASA software that would atleast allow communication between all interface with their real IP addresses.
  I am not so sure about the older ASA versions anymore. To my understanding the "no nat-control" is default setting in your model which basically states that there is no need for NAT configurations between the interfaces the packet is going through.
  Have you confirmed that all the hosts/servers have the correct default gateway/network mask configurations so that traffic will flow correctly outside their own network?
  Have you confirmed that there are no firewall software on the actual server/host that might be blocking this ICMP traffic from other networks?
  Naturally if wanted to try some NAT configurations you could try either of these for example just for the sake of testing
  Static Identity NAT
  static (home_network,esx_management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,DMZ) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  static (home_network,management) 192.168.5.0 192.168.5.0 mask 255.255.255.0
  OR
  NAT0
  access-list HOMENETWORK-NAT0 remark NAT0 to all local networks
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.10.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.20.0 255.255.255.0
  access-list HOMENETWORK-NAT0 permit ip 192.168.5.0 255.255.255.255.0 192.168.1.0 255.255.255.0
  nat (home_network) 0 access-list HOMENETWORK-NAT0
  Hope this helps
  - Jouni

• HA between a Cisco ASA 5520 and a Cisco ASA 5525-X

  Hi all!
  we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
  We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
  Best regards for all,

  You cannot make a 5520 establish failover with the mate being a 5525-X.
  1. The configuration guide (here) states:
  The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
  2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above.

• Older version of openssl in cisco asa 5520

  Hi,
  Recently my security has scanned all the network devices for vulnerabilities and found that cisco asa 5520 , which we use for RAS VPN has older version of openssl. Have  to  check that and fix this problem? FYI, recently we have installed a SSL cert for webmail users.
  Thanks,
  Sridhar

  Sridhar,
  W update OpenSSL libraries on our side quite often, especially if new vulnarabilities are found.
  You can check recently published vulnarabilities in www.cisco.com/go/psirt (not only specific to ASA)
  In general ASA 8.4 is what you should go for to have "latest and greatest" revisions of openssl and ASA code itself.
  Marcin

• Cisco ASA 5520 Traffic monitoring

  Hello ,
  We have a Cisco ASA 5520 and im looking for a way to monitor largest outgoing and incoming traffic per ip in real time so to know which of my internal computers are using the most of our Internet Line. Is there a way to this through ADSM ? We use version 6.3.
  Thanks a lot

  Hi,
  I dont think the ASA alone can give you a really clear picture of the real time situation.
  It however should be able to give you some clue and simple statistics on the ASDM Firewall Dashboard
  My ASDM version is 7.1 but it should be there in your version also.

• Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

  OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
  What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 
  Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
  When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
  Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
  The ASA is connected to a checkpoint sub interface
  Any help would be beneficial as im new to cisco ASAs 
  Thanks
  Mark

  Mark
  If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
  HTH
  Rick

• 2 exchange 2013 multirole server and 1 addess for Outlook Anywhere. How to?

  Hello everybody.
  I'm coming to you with a question about my new Exchange 2013 infrastructure. 
  I have 2 Exchange 2013 SP1 servers. Both are multirole (CAS + MBX). My servers are Server12 and Server13. 
  I created a DAG which IP adderss is 192.168.3.30 (Servers IP are 3.31 and 3.32). Everything's working fine. 
  For CAS High Availability, I followed this thread : http://exchangeserverpro.com/exchange-2013-client-access-server-high-availability/
  On my firewall, I use NAT to send https flow from my public IP address (mail.domain.fr, external domain
  published on internet) to point to mail.domain.org (internal domain, non published on Internet). The mail.domain.org alias is my record defined in my internal DNS to
  point to my 2 multirole server, as shown in the tutorial above.
  I encounter a problem with external outlook anywhere. My problem comes with Outlook Anywhere which is not working fine when I redirect https flow to my cluster IP address (192.168.3.30) (DAG's address, corresponding to my servers). If I do the same redirection,
  but pointing to only one of my servers, it's working fine. In Exchange, external outlook Anywhere directory points to mail.domain.fr
  But anyway, if this servers goes down, I have to change manually the NAT on my firewall. And I don't want to :). 
  How can I do ? Can I do something without a physical load-balancer? 
  Thanks

  You cannot point Outlook Anywhere to your DAG cluster IP address. It must be pointed to the actual IP address of either server.
  For no extra cost DNS round robin is the best you will get, but it does have some drawbacks as it may give the IP address of a server you have taken down for maintenance or the server has an issue.
  You could look to implement a load balancer but again if you are doing this for high availability then you want more than one load balancer in the cluster - otherwise you've just moved your single point of failure.
  Having your existing NAT and just remembering to update it to point to the other server during maintenance may suit your needs for now.
  If you can go into more detail about what the high availability your business is looking to achieve and the budget we can suggest the best method to meet those needs for the price point.
  Have a great day
  Oliver
  Oliver Moazzezi | Exchange MVP, MCSA:M, MCITP:Exchange 2010,Exchange 2013, BA (Hons) Anim | http://www.exchange2010.com | http://www.cobweb.com | http://twitter.com/OliverMoazzezi