Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 22.214.171.124 12345 126.96.36.199 25.
Found no matching flow, creating a new flow
Drop-reason: (acl-drop) Flow is denied by configured rule
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.
We have an ASA5510 with the IPS ASA-SSM-10 module installed. All is working well except event notification. When sending a test email from the SSM IPS, we get the error "could not connect to SMTP host". The Exchange SMTP host does allow traffic from the IPS and ASA. I can ping to the SMTP host by IP and name. What am I missing here?
I 've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).Some Users received in there mailbox a system administor error message :Object : Impossible to deliver : testYour message could not be deliver to one or more of its recipients: 421 SMTP connection went away!When they try to re sent it some times later, message is sent whithout problem.
Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain. If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.
I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 188.8.131.52 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.But I can't Telnet from an outside location using: Telnet 95.*.*.218 25 Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?
I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.
A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
[URL] on 8/21/2011 9:49 AM Could not deliver the message in the time limit specified. Please retry or contact your administrator. <630.SM.Local #4.4.7>
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached: JWillar@email.com on 8/21/2011 9:49 AM Could not deliver the message in the time limit specified. Please retry or contact your administrator. <630.SM.Local #4.4.7>
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.
We are using several Cisco ASA 5505 with the 8.05 OS on it. The problem is that the SMTP traffic of my ISP(Telenet) isn't passtrough the ASA, I'm using outlook 2010. Before there was also a problem with our local exchange server but I solved this by disabling ESMTP checking in the policies, but it didn't worked for my local ISP.
I would swear this worked at one point. I have a corporate office, and I have IPSec tunnels out to my outside offices. The corporate office has an ASA5510, and most of the remote offices are running off of Pix506s, one office has an ASA5505.
When anyone connects through WebVPN, using AnyConnect or not, they can contact any of the cifs shares for servers inside the corporate office. They cannot, however, contact cifs shares on servers that are in the remote offices.
We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow SMTP traffic to pass through from this interface.
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).
I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack. [code]
Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.
My old router recently died and my ISP was kind enough to offer this Thomson one free. But ever since I got it, my PCs cant see each other on the homegroup. They can all get onto the internet - and by using programs like Dropbox or Teamviewer I can share info from one to the other- but I'd like to get my homegroup working again, Both my PCs are running Win 7, connecting wirelessly to the network. When trying to tracert from one to the other it gives this message: Tracing route to GLaptop.lan [192.168.1.79] over a maximum of 30 hops: 1 GDesktop.lan [192.168.1.82] reports: Destination host unreachable. The problem persists when firewalls on both PCs are disabled, and I've attempted to delete the homegroup on both PCs and re-create it.
My internet connection started to disconnect after an office mate used my PC. I thought it was just the cables but it's not. I pinged my ip address and its okay (sent=4; received=4). But when i ping Yahoo! and other websites, it said that "Destination host unreachable" (sent=4;received=0;lost=4;100% loss). What should I do to make my connection okay? I didn't ask assistance from our IT personnel bcoz they said if i want to reconnect/reinstall connection, I have to get an approved request from our bosses. And I don't like being asked bcoz they are like tyrant bosses.
I have 2 brand new systems, a desktop running Windows 7 Pro connected with a had line, and a laptop running Windows 7 Home Premium connected wirelessly. Both can access the router, both can access the internet, both can be pinged from the router. However, they absolutely cannot see each other on the network. If I try to ping by name, the addresses don't resolve. If I try to ping by IP, I get either no reply or the "destination host unreachable."I've disabled firewall completely on both. I've double, triple, quadruple checked all sharing settings (network discovery is enabled on both, sharing enabled everywhere, etc. etc.). I've tried disabling all other network adapters on the laptop, no difference. I've tried all of the online tips about repairing winsock.
My company has a Cisco IAD 2400 which is handling our phones and the internet (from Service Provider). We are adding a second router, a Cisco 1921, to our network,I think I have everything set up correctly. One department is using the 192.168.2.0/27 subnet. I can ping each computer within that subnet. Also, within this subnet, I can ping the router interface at 192.168.2.1. I can ping 192.168.1.2 successfully as well. This is the interface on the 1921 that goes to the 2400. However, if I try to ping 192.168.1.1 (interface on 2400), I get "Reply From 192.168.1.236: Destination Host Unreachable" I get the same thing if I ping 184.108.40.206.Within the 1921, I can ping 192.168.1.1 and 220.127.116.11 (random google ip) successfully.
The old syntax that I am much more familiar with has been deprecated. On older IOS it would have been something like static (inside,outside) tcp 18.104.22.168 14033 192.168.30.69 1433 netmask 255.255.255.255 Plus an extended ACL to allow the traffic.I am trying to create a Static PAT to allow a host address to access our Network through an ASA. I have external address 22.214.171.124 that I want to hit the external interface on an obscure port (say 14033) and translate that traffic to an internal host address on port 1433.
I have different types of network clients connecting to both bands of router (5 ghz and 2.4 ghz), and both bands set to WPA2 only. Everything has been set up and working for the past year with no problems.
Suddenly this morning, none of the 2.4 ghz clients can connect and get authenticated. When I attempt to ping them from a Windows 7 desktop connected by a LAN cable, I get Destination Host Unreachable.
The 5 ghz clients are fine and have had no problems. I tested this with the New iPad connected to the 5 ghz band.
Rebooted the E3000 router and the Comcast cable modem, then installed the newest firmware on the E3000 using the web access portal at 192.168.1.1, and still not working.
Changed the WPA2 Personal security mode for the 2.4 ghz band to WPA2 Personal/WPA Mixed Mode, and now all the clients are connected and authenticated and working OK, albeit slower.
What happened? And how can I fix this so I can change the security mode for the 2.4 ghz band back to WPA2 Personal?
P.S. The types of clients that connect to the 2.4 ghz band are 2 Windows 7 desktops, a Windows 7 laptop, and 5 Cisco Wireless N Internet Home Monitoring Cameras. The camera feeds have slowed down considerably using this Mixed mode.
I've tried everything that has been posted so far except for opening up the router itself which I will refuse to do.- Getting = Host Unreachable 192.168.1.20 (I am using 192.168.1.1 as the gateway)- No ping whatsoever even when turning on the router over and over.
I am using the window server 2008 and configure tcp/ip properties correct ping locally reply successful when ping localy but when ping yahoo.com then reply destination host unreachable whereas gateway and dns ip is also correct configure so tell me solution about this problem because i am useing the internet.
I attempted to upgrade the firmware on the WRT54G2 V1 (the newer, slim black model) but it failed. I let the upgrade run for about 10 minutes and it just sat there and link to router disconnected I run ping for 192.168.1.1 but response is "DESTINATION HOST UNREACHABLE". The router is now completely unusable and the ALL LAN ports lights are ON and Internet light is also ON.
I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.
My device has 3 interfaces configured: inside, outside, DMZ. Right now I can access the DMZ from the Internet and I can access the DMZ from the LAN using an exempt nat statement. I am having a few issues setting up DMZ > LAN access however. The servers running on the DMZ need to send information to my LAN such as syslog traffic for example. Will DMZ traffic be NATed or should this somehow be excluded? Bascially all LAN devices should get to the DMZ devices by their actual IP and vice versa. Are there any special statements I need to add to the ASA such as nat or ACLs to make this work? My LAN is 10.10.6.0/24 and DMZ is 192.168.254.0/24.
I have ASA5510. It's include security plus license.I want to traffic shape to 200Mbps. But , I checked a CCO.CCO said that a shaping limit is 154400000. "Enables traffic shaping, where the average rate argument sets the average rate of traffic in bits per second over a given fixed time period, between 64000 and 154400000. "It's mean shaping limit 154400000 ?Can I shape to 200Mbps ?
I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).
I would like to connect a second ISP link to our ASA 5510 to solely serve http traffic from our organization's employees (ie. web surfing). We currently have all employee traffic and two site-to-site VPN tunnels connecting to the internet from this firewall. I want to keep the tunnels as currently configured on the existing connection and split out http/https traffic from our staff onto a less costly link.
I have an ASA5510 with 8.3 and a Cisco PIX525 (retiring). The ASA was for VPN traffic only while the PIX was for all other Internet traffic. I'm trying to move all the traffic to the ASA5510 so I used the PIX to ASA migration tool. I migrated the PIX rules over to the ASA5510, however we can't receive email and there is no external access to our internal websites. But the VPN connections remain intact and internal users can get out to the internet.
When I run Packet Tracer on my outside (incoming rules) the packets are dropped at the inside interface. What am I missing?
I ' m not able to configure the asa 5510 to allow the multicast traffic to pass through ASA.The multicast traffic have to pass from inside interface to outside interface.Can I configure the multicast traffic to pass through asa with a static nat ?
I've been trying to figure this one out for quite a while. I currently have 2 inside interfaces (data, phone) and I am moving to 3 inside interfaces (servers, workstations, phones). I have not been able to get any traffic between the interfaces. With the current setup it was not a major problem. With the new setup it will be a major problem.
I am using ASA5510 and i want to know if it is possible to redirect http traffic to an internal proxy software. I explain : PC from the LAN use a internal proxy in their IE browser but some other PC doesn't use it.They are directy connected to the Internet using the Public IP from the WAN interface ( via NAT). Can we redirected this HTTP Traffic from the WAN interface to the Proxy in the LAN ?
Http Traffic will be routed like that : PC -> WAN interface -> Proxy -> WAN interface -> Internet In fact,can we create a rule saying : All http traffic which doesn"t come from the IP Proxy must be redirected toward proxy.