Cisco Firewall :: ASA 5512x Restrict Email Delivery To Ip Address Range
Feb 2, 2013
I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different). Right now anyone sending email to a particular ip address on my firewall can do so. I want to restrict that to two ip address ranges it will accept deliver from. I'm thinking I need two network objects for the two ranges then add to a network object group. Configuring the ACL for delivery using that group if I'm correct about that ?
I have a XSR-1805 (Version 220.127.116.11) enterasys router here. Got SNMP server to work successfully. The thing is that I couldn't make the router restrict a range of address allowed to use a community. Only 10.1.0.13 is allowed to use SNMP in this case.
I'm trying to get started on setting up my first Transparent ASA.I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below. Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup? Can I use ASDM if the Transparent ASA has an ip address? This 5512X has an IPS. Any one who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.How is NAT setup differently (if at all) on a Transparent ASA?Are ACLs done any differently?
I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall. [code]
1. How FWSM create xlate table like that? I mean it look like NAT0 for 18.104.22.168 but it doesn't has any nat rule for 22.214.171.124 on firewall.
2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate
3. After clear xlate global 126.96.36.199, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.
We are in the middle of upgrading from two PIX's to some new ASA5512X's. To give you some background on the situation we are upgrading these since the PIXs are fairly old. We had one extra that we had to use since one PIX has failed already. The guy that implemented the PIXs orginally was learning how to do so as he went so there is alot of needless config in the PIX, atleast from what I can tell. Another guy that works with me has done some configuration on the new ASAs and has done the majority of it so far. Today we went to install the new ASAs and switch everything over hoping it would work, but that didn't happen. It seems that there is something wrong with our NAT and ACLs somewhere along the lines. The way our network is laid out is that we have two school campus with a site-to-site VPN one is 172.17.0.0/16 and the other is 172.18.0.0/16. We also have a remote-access VPN on both ASA's. When we connected the new ASAs up and brought up the interfaces, nothing on the inside could ping the internet nor the other side. The VPN showed active on the ASA's and each ASA could ping the others outside interface, but that was it. I have posted the configs below.
: Saved : Written by enable_15 at 04:26:18.240 CDT Tue Mar 12 2013 ! ASA Version 8.6(1)2
ISP assigned us the following:xxx.yyy.zzz.32/30 as the outside interface network.This means .33 is the next hop, gateway, or default route.This means .34 is the outside interface on the ASA.xxx.yyy.zzz.64/26 as the ip address pool.This means xxx.yyy.zzz.65 to xxx.yyy.zzz.127 is the address pool.xxx.yyy.zzz is identical in all cases.Addresses .35 through .63 are owned by other parties and are not usable to us.The 33-34 setup works using static routing - IPSEC VPN is setup and functioning properly using these addresses.
After NAT and ACL entries are created to provide altnernate external IP address on the outside interface [ie. static (inside,outside) [external ip] [name] netmask 255.255.255.255 and access-list [name2] extended permit tcp any host [alternate outside ip] eq https], attempting to browse to an internally hosted website from an external IP address results in the following messages in the ASDM log.
6 Apr 14 2011 17:58:51 110003 [redacted external IP Address] 37763 [Internal Website Name] 80 Routing failed to locate next hop for TCP from Outside:[redacted external IP Address]/37763 to Inside:[Internal Website Name]/80
How do I setup routing for this non contiguous address range?
i found this part number for asa5512x product "ASA5512-SSD120-K9" it's a New Product Hold and under group "Cisco ASA CX Context-Aware Security" Who have know more information about this? Cisco ASA CX Context-Aware Security ASA5512-SSD120-K9 ASA 5512-X with SW, 6GE Data, 1GE Mgmt, AC,3DES/AES,SSD 120G
Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?
I have ASA 5512X and I'm trying to run CX features on it. but the problem is I don't have SSD drive in the chassis. how can I get one? is any kind of SSD drive compatible with cisco ASA-CX firewalls or i should order it from cisco only? what is the part number for that model?
url...For the New Firewalls i.e. 5512X , 5515X etc there seems to be integrated IPS and we don't need to order any extra license or part number to get the IPS features .
But for the 5585X It says 2Gbps for SSP10 engine but I have seen in the Dynamic Configuration Tool that SSP10 and IPS-SSP10 are different things . Which means that I will have to order 2 service engines SSP10 and IPS SSP10 to get the IPS features and if I only order SSP10 with that Chasis I will only get firewalling ?
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test network-object 192.168.0.0 192.168.63.255 ? network-object-group mode commands/options: A.B.C.D Enter an IPv4 network mask sh run ob id test object-group network test network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
I think I've done a wrong move and cancel my company e-mail address.I'm not familiar with this , but is it pssible to restore.??..and if so be as clear as possible for each step to do cause I'm not a computer wiz in that stuff.
I have 3 Twitter accounts that all work fine on my iphone and my sony experia phone but I can not get into twitter on my home cpu because I cant find the email address that I used to start the account i tell them i lost it so they email it to my email address on file that they wont share. So I need to find out every single email account i have set up in the last 2 years.How do i do that? I tried the option to security to optioms again and nothing for twitter. I need those account on my desk so i can send photos off my hard drive.
we ordered a data e-delivery PAK L-SL-29-DATA-K9= (FOR A 2900 SERIES ROUTER) but after we received the PAK we discovered that the client actually has a 1900 router. Any easiest way of rectifying this mistake so that we can use the PAK on a 1900 series router?
I've got a client with a WLC 4400 series and WCS that wants to setup a public guest wireless access network. They want to have the users put in their email address to authenticate and they want to capture the email addresses to use for marketing campaigns. I know you can setup the login page to have them put in their email address, but i can't remember if you have to use an external web server to actually capture and record the email addresses.
I have a WLC 2500 which I would like to configure with guest access. I want to set up a web passthrough with email input. Is it possible to collect the email address information? Is it stored somewhere in the controller or do I need some external server?
From the WAP4410N admin pages or console you can enable e-mail alerts. You have to set the essential TO address and mail server address. Where can I put the FROM address ? From what I can see it uses the hostname value as from address. The hostname in my case is ap02. Then you could try setting a mail address in the hostname field, but thats not allowed.
I am running v6.3.1172.4 of InterScan for Cisco CSC SSM. The previous administrator has left and I need to change the email address that email notifications go to. I click "Administration", then I click "Notification Settings" and type over the previous admin's email address.
When I click the "Save" button, I get:
The email address entered was not recognized. Verify the syntax and try again.
i am trying to validate an email address through telnet connection, i followed these steps How to Verify an Email Address and Find if it is Real or Fake? sadly when i try the "telnet gmail-smtp-in.l.google.com 25"
I have a list of email addresses, people who have subscribed to a free electronic newsletter. The email address is all the information we have about each subscriber.A satellite office is going to begin handling print and electronic subscriptions for subscribers in Peru. Is there any way to determine which of these email addresses are from Peru?
Router does not accept any email address that start with a number. For example, if you want to set email address firstname.lastname@example.org in the from field you will receive the following error: The given FROM address (email@example.com) is invalid. Same error if you use it in the to field.HW ver. A4 running firmware 1.35NA.