Cisco Firewall :: ASA 8.4 / NAT SMTP Traffic From Outside To Inside?

Dec 25, 2012

Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain.  If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.
  
ASA Version 8.4(3)!hostname ciscoasaenable password cE8UUNd encryptedpasswd 2KFQ.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.218 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network server1_smtphost 192.168.1.10object network server1_pop3host 192.168.1.10access-list outside_access_in extended

[code]....
 
I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 4.2.2.2 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.But I can't Telnet from an outside location using: Telnet 95.*.*.218 25 Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?

View 5 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5505 (8.4.2) How To Access Inside SBS-Server On SMTP / RDP

Oct 25, 2011

Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
 
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
 
[OK] object network SBS-HTTPS
 object network SBS-HTTPS
[ERROR] nat (inside,outside) static interface service tcp https https
 NAT unable to reserve ports.

View 5 Replies View Related

Cisco Firewall :: How To Log Incoming Traffic (SMTP) On PIX 515E

Mar 6, 2013

I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.

View 1 Replies View Related

Cisco Firewall :: ASA-5510 Dropping Outbound SMTP Traffic?

Aug 21, 2011

A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
  
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
 
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:   JWillar@email.com on 8/21/2011 9:49 AM  Could not deliver the message in the time limit specified. Please retry or contact your administrator.  <630.SM.Local #4.4.7>
 
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
 
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.

View 13 Replies View Related

Cisco Firewall :: ASA5510 SMTP Traffic - Host Unreachable

Jul 8, 2012

Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
 
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
 
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 [code]...
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.

View 19 Replies View Related

Cisco Firewall :: ASA 5505 Doesn't Allow Local Provider SMTP Traffic

Aug 7, 2011

We are using several Cisco ASA 5505 with the 8.05 OS on it. The problem is that the SMTP traffic of my ISP(Telenet) isn't passtrough the ASA, I'm using outlook 2010. Before there was also a problem with our local exchange server but I solved this by disabling ESMTP checking in the policies, but it didn't worked for my local ISP.

View 4 Replies View Related

Cisco Firewall :: ASA5505 8.4.2 NAT To Forward SMTP And RDP Traffic To Internal Host

Nov 26, 2011

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
 
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?

View 19 Replies View Related

Cisco Firewall :: 5510 How To Configure Local LAN SMTP Traffic Sending Through New Leased Line

Jun 11, 2012

We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow  SMTP traffic to pass through  from this interface.
 
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).

View 2 Replies View Related

Cisco Firewall :: 5520 - Traffic From Inside To Outside

Mar 2, 2011

I am setting up a pair of 5520 in A/S mode but the traffic from inside to outside seems blocked somehow.

asa01# sh run : Saved
ASA Version 8.3(1)
host name asa01
enable password LFJ8dTG1HExu/pWQ encrypted
password 2KFQnbNIdI.2KYOU encrypted
names
[code]......

Base on the above configuration, I still cannot ping or HTTP.

View 10 Replies View Related

Cisco Firewall :: 5510 Allow Traffic Inside To Outside

Nov 18, 2011

One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
 
-Host IP on inside network  - 172.16.30.15
-Application to access - 74.219.x.x
-Inside ACL name - inside-acl

View 5 Replies View Related

Cisco :: Configure NAT For Inside SMTP Server In ASA 5520

Sep 20, 2012

I need to configure my ASA 5520 version 7.3 firewall to translate our SMTP server residing in local LAN to use different IP address from the outside interface which is used by all other computers to access Internet.

Under NAT section, i have NATted this internal SMTP server with different IP address(eg x.x.x.1) and also translated the remaining IP addresses in the LAN to the outside interface(eg x.x.x.2)

my problem is, Whenever i check the header for message coming from the smtp server it shows that, the SMTP server is also translated by using the same outside interface public ip address(i.e x.x.x.2) which is used by other client machine to access internet instead of the x.x.x.1.

how i can get my SMTP server to use separate IP and avoid to be blacklisted by some domain.

View 3 Replies View Related

Cisco Firewall :: Allowing Traffic From Inside To Outside ASA5505 7.2(3)

May 15, 2012

Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet.  The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed.  We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet.  The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult.  For now I wrote an access list to allow it's DHCP address out but it still isn't working.  The access list I wrote is:
 
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
 
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased.  When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response.  According to the manufacturer, only outbound connections are needed, no incoming ports required.  All traffic is TCP.

View 8 Replies View Related

Cisco Firewall :: Pix515E 6.3.5 Capturing VPN Traffic On Inside INT

Nov 28, 2011

Quick question. I have a site - site tunnel that is up and running between a Pix 515E and a 3050 appliance.Tunnel is up and running but on the pix side I dont see traffic from a couple of subnets behind the inside interface.On the vpnallow access list there are no hits So I setup a capture on the inside interface to see if the packets is making it to the inside interface and nothing. There is some traffic making it thru the tunnel that would have to hit the inside int first and even that doesnt showup in the capture.

View 1 Replies View Related

Cisco Firewall :: 5520 Can't Get Traffic From Inside To Internet

Nov 27, 2011

I am trying to make a basic config on my 5520. The first goal is to make trafic from inside to outside.The internet address is 64.28.29.200 and the default internet gw is 64.28.20.193What am I missing since I can not get trafic from inside to the internet? [code]

View 10 Replies View Related

Cisco Firewall :: ASA 5505 - Allow Traffic Between Inside Interfaces

Nov 9, 2011

I trying to allow traffic between 2 inside interfaces with the same security level.  VLAN1 and VLAN15.  The are on different physical ports on the ASA.  I tried to configure this through the GUI Web interface and checked ' enable traffic between two or more interfaces with the same security levels'.  With this ASA version, I do not need NAT to allow this, correct?
  
ASA Version 8.2(1)
!
hostname ciscoasa

[Code].....

View 1 Replies View Related

Cisco Firewall :: NASA5510 Working Traffic Inside Of Same Interface

Oct 13, 2012

I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
 
1. The Subnet of the main office (192.168.1.253)

2. A router  (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
 
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Dropping UDP / 53 Traffic On Inside Interface?

Jul 21, 2012

We have a Cisco ASA 5505 (v7.2(3)) with a "fairly" normal configuration yet we have a problem where it appears UDP/53 traffic is denied on our inside network.
 
here is output from our sys log:

SyslogID   Source IP      Dest IP    Description
305006      172.18.22.3                   portmap translation creation failed for udp src inside:172.18.22.156/42013 dst inside:172.18.22.3/53
 
To give some clarification:

172.18.22.3      is one of our DNS servers
172.18.22.156  is a device we're experimenting with.
 
We've bypassed the Cisco by using a 4G wireless router with this same device - and it works flawlessly.Here is a [scrubbed] copy of our config. It is what I inherited from the previous admin - I'm not sure of all its finer points (I'm not Cisco certified -- perhaps I'm just certifiable.)
 
: Saved 
:
 ASA Version 7.2(3)
 !
 hostname [redacted]

[code].....

View 5 Replies View Related

Cisco Firewall :: ASA 5520 - Permit Traffic To Inside Via MAC - Address?

Apr 6, 2011

I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network?  I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world.  I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.

View 2 Replies View Related

Cisco Firewall :: ASA 5540 Blocking Legit Traffic From Inside

Aug 21, 2011

I just made a move from a PIX 506 to an ASA 5540.  I have a user that currently logs into a web portal and runs a job.  It is now erroring out.  When I run the test it gives me the following message:
 
Testing ports...
Port 1433: Failed
Port 1150: Success
Port 80: Success
Port 443: Success
 
One or more tests have failed
 
The computer we access this site from is on the inside network and the ACL says permit ip any any from the inside out so I am not sure why it is failing.  Under the ASA Home screen I see the Top 10 Protected Servers under SYN Attack and it appears that the ASA thinks this is some sort of attack. 

View 1 Replies View Related

Cisco Firewall :: ASA5510 - Traffic Between Multiple Inside Interfaces

Oct 10, 2011

I've been trying to figure this one out for quite a while.  I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones).  I have not been able to get any traffic between the interfaces.  With the current setup it was not a major problem.  With the new setup it will be a major problem.
 
Below is a sanitized version of the config.

ASA Version 8.2(1)
!
hostname BOB

[Code].....

View 11 Replies View Related

Cisco Firewall :: ASA 5505 NAT Rules Blocking Inside Traffic

Jan 7, 2012

Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]

View 10 Replies View Related

Cisco Firewall :: ASA 5505 PPPOE Traffic Statistic Doubled Between Inside And Outside

Mar 12, 2013

I've an ASA 5505  connecting to a vdsl modem. The ASA is doing the PPPoE encapsulation. I've noticed the traffic amount on the outside interface is always twice the bandwidth it receives on its inside interface. I can't believe the PPP encapsulation is taking that much. Only two interfaces (inside and outside)

View 4 Replies View Related

Cisco WAN :: 1811 - Restricting SMTP Inbound Traffic

Mar 16, 2012

I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:
 
mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service, I am thinking an ACL would fit the bill here, but unsure of how to implement. Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Peer-2-Peer Traffic From Inside To Outside Blocked?

Apr 19, 2012

I got ASA 5510 with base license, can I block all Peer-2-Peer traffic from inside to outside.

ASA Giga 0/0 connected to ISP Router 2811

ASA Giga 0/1 connected to LAN switch 3560

View 3 Replies View Related

Cisco WAN :: 2911 - SMTP Traffic Fails When Going Out And Back In Same Router

Dec 2, 2012

We have a customer using a 2911 router with 3 x DSL WAN links.
 
The customer runs a building with shared office space which people rent.
 
Customers in the building are experiencing a problem where they cant email other tenants i.e...
 
One tenants exchange server tries to make a connection to another tenants server by going out to the internet and back in via the same interface.I believe this might be called "Hair Pinning"

View 4 Replies View Related

Cisco Firewall :: PIX 501 / Can Traffic Goes From Inside Interface To Outside Interface

Oct 9, 2011

I have Pix 501 firewall and I'm just configuring the device for "Email Server" to allowing POP/SMTP.
 
Inside Interface Address: 132.147.162.14/255.255.0.0
Outside Interface Address: ISP provided IP address
 
My question is can my traffic goes from inside interface to outside interface? (because the inside interface address not from 10.0/172./192.168 private address)Also I'm allowing internet from this email server (132.147.162.14) so what my access list to be configured? and what my subnet mask shoud be there?
 
Pix(config)#access-list outbound permit tcp 132.147.162.14 255.255.0.0 any eq 80
Pix(config)#access-list outbound permit udp 132.147.162.14 255.255.0.0 any eq 53
Pix(config)#access-group outbound in interface inside

View 7 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP

Mar 14, 2013

IOS Firewall (ZBF) Limit SMTP connections from same IP
 
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
 
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
 
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
 
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .

View 8 Replies View Related

Cisco VPN :: 1841 / ASA Not Passing Inside Traffic Though Vpn?

May 2, 2012

I am about to pull my hair out. I have a 1841 router at one end with 3 ASA's for teleworkers working great. I'm connecting a 4th one that I can not get to work for the life of me. The tunnel is comming up, but its not passing any traffic. I don't see any glaring errors in the VPN debug. The router comes up, reverse route injection does its thing... all looks great. Am I totally overlooking somthing? I must have rebuilt this a dozen times.
  
: ASA Version 8.2(1) !hostname ciscoasa104domain-name default.domain.invalidnames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.104.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address dhcp setroute! interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa821-k8.binftp mode passivedns server-group DefaultDNSdomain-name default.domain.invalidsame-security-traffic permit inter-interfacesame-security-traffic permit intra-interfaceobject-group network DM_INLINE_NETWORK_1network-object 192.168.2.0 255.255.255.0network-object 192.168.4.0 255.255.255.0access-list outside_1_cryptomap extended permit ip 192.168.104.0 255.255.255.0

[code]....

View 7 Replies View Related

Cisco Firewall :: Monitoring SMTP On An ASA 5500?

Mar 5, 2012

I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.

View 1 Replies View Related

Cisco Firewall :: ASA5505 - ACL For SMTP Inbound

Dec 29, 2011

I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working.

View 1 Replies View Related

Cisco Firewall :: Setting Up ASA 5510 Cannot Get SMTP To Come In

Mar 21, 2013

I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
 
Here it is:
  
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0

[Code]......

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved