Cisco Firewall :: ASA 5510 Ways To Allow Outside Adapter To Permit Smtp

Oct 25, 2012

We have a 5510 (8.2) with the following 4 interfaces (security-levels) inside (95), outside(0), dmz(25), and test (95).  The dmz network is 10.10.10.0/24 and the outside interface is 40.133.84.69.We have run into a situation where a dmz hosted iRedMail server running postfix (10.10.10.51) is relaying mail which in some cases points back to us at 40.133.84.69 and into our Exchange server.  In these cases in the dmz server's mail logs we see postfix timeout trying to connect to smtp at 40.133.84.69.  When I try to telnet from 10.10.10.51 to the outside interface on port 25 it times out.We've tried different ways to allow the outside adapter to permit smtp (or any service!) from 10.10.10.51 but we're left scratching out heads.

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: 5510 - Outlook Port Only Permit (POP3 995 / SMTP 587) With TLS Encryption

Jun 3, 2012

In Cisco ASA 5510 , outlook port only permit ( pop3 995/smtp :587) with TLS encryption. How we can do it thru ASDM .

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Setting Up ACL To Permit Access Only To The Nat Subnet?

Apr 9, 2012

setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
 
permit ip any "Nat_subnet"
 
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration.

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242

[code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - See Logged Traffic On Permit Rules

Feb 9, 2012

I have a rule which permits traffic to a web server and logging is enabled.  But when I go to syslog I am only seeing traffic which has been denied.  What needs to change to be able to see the logged traffic on permit rules?

View 1 Replies View Related

Cisco Firewall :: Setting Up ASA 5510 Cannot Get SMTP To Come In

Mar 21, 2013

I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
 
Here it is:
  
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0

[Code]......

View 1 Replies View Related

Cisco Firewall :: ASA 5510 ACL For Blocking Outbound SMTP

Jan 30, 2013

I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
 
-access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange
 
-access-list 102 extended deny tcp any eq smtp any eq smtp
 
-access-list 102 extended permit ip any any
 
-access-group 102 in interface inside
 
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.

View 1 Replies View Related

Cisco Firewall :: Accessing SMTP From Outside Network Through ASA 5510?

Oct 11, 2012

I have an issue with my mail server(SME Server) which is behind a Cisco ASA 5500(firewall)  problem is that if one leaves my network they can receive but can not  send email via my SMTP also internal people can only send if they use  the IP address of the server rather than the domain [URL]

here is my layout
 
ISP - ASA 5510 - LAN (includes mailserver)

View 7 Replies View Related

Cisco Firewall :: Add IP Address For SMTP Services ASA 5510

Nov 28, 2012

We have hosted spam filter service with 3rd party vendor.  My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service.  I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - Setting Up SMTP Port Block?

Mar 5, 2012

how to go about setting up the ASA to block any SMTP traffic outbound except for our Exchange Server. This is in relationship to a SpamBot issue that blacklisted us. I have an ASA 5510 running version 6.2(5) / 8.2(2) with three ports. DMZ, Inside and the Outside interface. Up till today, I only needed to block outside traffic to our internal network which I used the ASDM to configure a rule on the outside interface for an incoming rule. I am assuming I need to create an outgoing rule on the outside interface; however, just to make sure I understand the terminology/traffic flow, I created the rule with my computer as the source (192.168.0.131) with ALL destination and the service as HTTP. My logic, which seems to fail here, is that any traffic from my computer going outbound would be blocked; however I am still able to browse... That said, if I were to change the source as the Exchange server and the Service Type to SMTP, it would not actually block traffic and therefore not solve our problem.  I even gone as far as permitting traffic from my computer, expanding the hit counter and I see no hits.  So I am no doubt doing this wrong. What I do know, is when I first created the rule, a second rule was automatically created (Implicit rule) that deny all sources and blocked all HTTP traffic until I changed it to Permit?

View 2 Replies View Related

Cisco Firewall :: ASA-5510 Dropping Outbound SMTP Traffic?

Aug 21, 2011

A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
  
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
 
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:   JWillar@email.com on 8/21/2011 9:49 AM  Could not deliver the message in the time limit specified. Please retry or contact your administrator.  <630.SM.Local #4.4.7>
 
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
 
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.

View 13 Replies View Related

Cisco Firewall :: 5510 Single Outside Public / Can PAT Out And NAT SMTP Server Back

Jul 30, 2012

I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...

1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
 
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
 
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8

View 1 Replies View Related

Cisco Firewall :: 5510 How To Configure Local LAN SMTP Traffic Sending Through New Leased Line

Jun 11, 2012

We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow  SMTP traffic to pass through  from this interface.
 
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).

View 2 Replies View Related

Cisco Firewall :: How To Permit Traffic From Outside To DMZ On ASA 8.4

Jan 22, 2013

I Have this Topology: R1 is as server and i want to public that server in INTERNET using public IP 7.7.7.7, but i can not do that. I tried to do a NAT but it just translate from DMZ to Outside, however i can not to ping to 7.7.7.7 from Outside (R2).
 
I have a route in R2

7.7.7.7 [1/0] via 200.200.200.1 
On R2 i can´t ping to 7.7.7.7
On R2 i can´t ping to 172.16.0.2
On R1 i can ping to 200.200.200.2
On Inside i can ping to 172.16.0.2
 
when i try to ping from DMZ to Outside (200.200.200.2) the debug, and show nat details, show me:
 
ciscoasa(config)# nat: translation - dmz:172.16.0.2/26 to outside:7.7.7.7/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
nat: untranslation - outside:7.7.7.7/26 to dmz:172.16.0.2/26
ciscoasa(config)#
ciscoasa(config)# sh nat detail

[code]...

View 6 Replies View Related

Cisco WAN :: ASA 5510 - Mail Server Error 421 SMTP Connection Went Away

Oct 11, 2011

I've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).I use these configuration :

static (DMZ,LAN) 194.x.x.65 10.x.x.2 netmask 255.255.255.255 static (DMZ,LAN) 194.x.x.66 10.x.x.3 netmask 255.255.255.255 static (DMZ,WAN) 194.x.x.65 10.x.x.2 netmask 255.255.255.255 static (DMZ,WAN) 194.x.x.66 10.x.x.3 netmask 255.255.255.255 static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0
 
Some Users received in there mailbox a system administer error message :

Object : Impossible to deliver : test Your message could not be deliver to one or more of its recipients: 421 SMTP connection went away!
 
When they try to re sent it some times later, message is sent without problem.

View 4 Replies View Related

Cisco Firewall :: Cannot View Permit Entries In The Log On ASA 5520

Apr 6, 2011

I can not seem to view my "permit" entries in the log on my ASA 5520. I set up logging-lists, changed the level to 3 on  the logging statement, and simply can't find it anywhere.
 
Partial config:
 
logging enabled
logging timestamp
logging JC-L3 level errors
logging monitor JC-L3
logging buffered JC-L3
logging trap notifications

[code]....

View 6 Replies View Related

Cisco Firewall :: ASA 5520 - Permit Traffic To Inside Via MAC - Address?

Apr 6, 2011

I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network?  I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world.  I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.

View 2 Replies View Related

Cisco Firewall :: ASA5510 Permit Incoming Connection From Remote LAN

Sep 4, 2011

Actually all service from site to site is permitted, without restriction.I want to insert an ASA to block some internet traffic on main site.I try to configure my ASA5510.No problem for outgoing connection or to permit a single service on main site.But impossible to give access to all service/connection from all remote site to main site. [code]

View 7 Replies View Related

Cisco Firewall :: ASA 5585- TCP Syslog / Logging Permit-Host Down

Jul 5, 2012

We have a firewall service environment where logging is handled with UDP at the moment. Recently we have noticed that some messages get lost on the way to the server (Since the server doesn't seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP. You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command being able to stop all traffic on a firewall.
 
The TCP syslog connection failing was caused by a mismatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message: "%ASA-3-201008: Disallowing new connections."
 
Here start my questions:
 
- New connections are supposed to be blocked when the the TCP Syslog server are not reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic? 
- I configured the "logging permit-host down" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this? 
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this? 
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either. 
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation. 
 
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem. Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-host down" command didn't wor or changing back to UDP.
 
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didn't have ANY logging configurations on. Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isn't corrected by any of the above measures we took (like the command "logging permit-host down" which is supposed to avoid this situation altogether).

View 4 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP

Mar 14, 2013

IOS Firewall (ZBF) Limit SMTP connections from same IP
 
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
 
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
 
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
 
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .

View 8 Replies View Related

Cisco Firewall :: Monitoring SMTP On An ASA 5500?

Mar 5, 2012

I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.

View 1 Replies View Related

Cisco Firewall :: ASA5505 - ACL For SMTP Inbound

Dec 29, 2011

I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working.

View 1 Replies View Related

Cisco Firewall :: ASA 8.4 / NAT SMTP Traffic From Outside To Inside?

Dec 25, 2012

Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain.  If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.
  
ASA Version 8.4(3)!hostname ciscoasaenable password cE8UUNd encryptedpasswd 2KFQ.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.218 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network server1_smtphost 192.168.1.10object network server1_pop3host 192.168.1.10access-list outside_access_in extended

[code]....
 
I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 4.2.2.2 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.But I can't Telnet from an outside location using: Telnet 95.*.*.218 25 Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?

View 5 Replies View Related

Cisco Firewall :: ASA 8.4 - Static NAT With Outbound SMTP

Mar 30, 2011

Below is the interesting part of my config.  I have static NAT configured and working inbound for the Exchange Server and the Barracuda, however outbound traffic from those hosts comes out as the interface IP.  Thoughts?  I've tried a number of things (outside, inside), etc.
 
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DSN-EXCH01
host 10.250.231.51
object network MAIL-IN
host 10.250.231.50(code)

View 3 Replies View Related

Cisco Firewall :: ASA 5505 For SMTP Access?

Oct 29, 2012

I need to move the email traffic to a backup circuit.  Below is my config.  I have tried for email access but to no avail. 

asa5505# sho run
: Saved
:
ASA Version 8.2(2)
!
hostname asa5505

[code]........

View 9 Replies View Related

Cisco Firewall :: How To Log Incoming Traffic (SMTP) On PIX 515E

Mar 6, 2013

I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.

View 1 Replies View Related

Cisco Firewall :: ASA5510 / IPS SSM Could Not Connect To SMTP Host

Sep 3, 2011

We have an ASA5510 with the IPS ASA-SSM-10 module installed. All is working well except event notification. When sending a test email from the SSM IPS, we get the error "could not connect to SMTP host". The Exchange SMTP host does allow traffic from the IPS and ASA. I can ping to the SMTP host by IP and name. What am I missing here?

View 3 Replies View Related

Cisco Firewall :: Unable To Open SMTP Session Through ASA 5512-X?

Sep 20, 2012

Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
 
NAT and access rules are as follows:
  
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1

[code]....
 
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?

View 3 Replies View Related

Cisco Firewall :: ASA5505 (8.4.2) How To Access Inside SBS-Server On SMTP / RDP

Oct 25, 2011

Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
 
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
 
[OK] object network SBS-HTTPS
 object network SBS-HTTPS
[ERROR] nat (inside,outside) static interface service tcp https https
 NAT unable to reserve ports.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 Blocks Outgoing Smtp (port 25)

Nov 25, 2012

i cannot send emails to outside, i have an access rule on interface inside permit source: inside  destination: any servic: tcp/smtp and when i make paket tracer  it shows me that the packet is dropped but i cant see through which rule!!
 
ASA version: 8.4(3)
ASDM version 6.4(7)

View 2 Replies View Related

Cisco Firewall :: ASA5510 SMTP Traffic - Host Unreachable

Jul 8, 2012

Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
 
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
 
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 [code]...
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.

View 19 Replies View Related

Ways To Improve Connectivity

Nov 30, 2011

Basically we have recently upgraded to a 100M connection but are having issues with the bandwidth we receive. Normally I'd blame the ISP and complain at them till something happens but there are some weird things.Basically one guy consistently receives 50M according to internet speed tests, while the rest of us have never measured above 10M. It should be noted that he is on a Mac and the rest of us are PCs.Having retested repeatedly at different times of day, wired and wireless.My network settings says that my LAN connection is 100M but my internet claims to never even reach a fraction of this. Are there any obvious ways to improve my connectivity?

View 14 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved