KB ID 0001237
Problem
Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.
Solution
I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)
[box]
!The Firewall needs a domain name of its own. ! domain-name petenetlive.com ! !Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use. ! dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 8.8.4.4 ! !Create objects for each of the activation FQDN's. ! object network Obj-go.microsoft.com fqdn go.microsoft.com object network Obj-wpa.one.microsoft.com fqdn wpa.one.microsoft.com object network Obj-crl.microsoft.com fqdn crl.microsoft.com object network Obj-wwwtk2test1.microsoft.com fqdn wwwtk2test1.microsoft.com object network Obj-wwwtk2test2.microsoft.com fqdn wwwtk2test2.microsoft.com object network Obj-db3.sls.microsoft.com fqdn db3.sls.microsoft.com ! !Create objects for each of the activation subnets. ! object network Obj-MS-Activation-Subnet-1 subnet 64.4.0.0 255.255.192.0 object network Obj-MS-Activation-Subnet-2 subnet 65.52.0.0 255.252.0.0 ! !Create an object group that holds all the objects. ! object-group network Obj-GP-MS-Activation network-object object Obj-go.microsoft.com network-object object Obj-wpa.one.microsoft.com network-object object Obj-crl.microsoft.com network-object object Obj-wwwtk2test1.microsoft.com network-object object Obj-wwwtk2test2.microsoft.com network-object object Obj-db3.sls.microsoft.com network-object object Obj-MS-Activation-Subnet-1 network-object object Obj-MS-Activation-Subnet-2 ! !Create a service object for the activation ports. ! object-group service Obj-SVC-MS-Activation tcp port-object eq www port-object eq https ! !Allow the traffic Out (SEE THE WARNING BELOW!) ! access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation
[/box]
Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;
Cisco ASA – ‘access-group’ Warning
Related Articles, References, Credits, or External Links
NA