Cisco Firewall :: Cannot Get RDP And Email Out Through ASA 5510 5520
Jul 24, 2012
I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
Static mappings (again from config):
static (inside,outside) 73.13.198.211 11.2.1.33 netmask 255.255.255.255
static (inside,outside) 73.13.198.212 11.2.1.29 netmask 255.255.255.255
Original access list:
access-list outside_access_in extended permit tcp 64.19.0.0 255.255.240.0 host 73.13.198.212 eq smtp
access-list outside_access_in extended permit tcp host 67.228.177.117 host
[Code]....
View 6 Replies
ADVERTISEMENT
Nov 8, 2011
How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.
View 1 Replies
View Related
Apr 26, 2010
I am trying to setup email alert on our ASA 5520 so that i can receive emails to my exchange account below is the configuration [code] The smtp server is in our internal network.first i am not able to ping 172.17.1.12 as ping is blocked.i did this confgi like two days before..but ca see alerts and error messages through asdm but no mail is coming in.
View 5 Replies
View Related
Jul 24, 2011
I am not sure if this can be done in asa 5510. Is there any way we can configure that when our public ip goes down i get an email?
View 2 Replies
View Related
Feb 29, 2012
I use ASA 5510 and I would like to log VPN traffic ( for example, as soon as a remote user try to connect to the asa). I would like this log be send to a specific mail address. I already configure Email Logging for severity ( level 3) and it works well.
How I can add the VPN traffic Log ?
View 4 Replies
View Related
Mar 5, 2011
I am having two issues:
1. my email going out is working along with internal, but inbound email is not working. My barracuda email filter is 192.168.1.107 and my exchange 2007 is 192.168.1.222 along with this OWA does not work.
2. Terminal Services does not work when I try from the home pc in I get server not available or disconnected
Below is my congig
ASA Version 8.3(1)!hostname wsigatewaydomain-name wsystems.comenable password yVSkMxWRc/S396FB encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address 64.XXX.XXX.XXX 255.XXX.XXX.XXXinterface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.0.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 [Code]....
View 2 Replies
View Related
Jan 17, 2012
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. [code]
View 1 Replies
View Related
Apr 12, 2011
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
View 10 Replies
View Related
Mar 26, 2013
I am in the process of switching firewalls. Currently I have a Sonic Firewall inplace. I have been tasked to switch the firewall out with a cisco asa firewall 5510. The sonic firewall currently allows email traffic, web traffic, and dns traffic. When I use the current config below on the asa I am unable to receive email from the outside network. I can send and browse websites but I cannot receive email.
ASA Version 9.1(1)
! hostname ciscoasa
enable password kdkfdjdjflkadjdsfj
[Code]......
View 3 Replies
View Related
Feb 10, 2013
I am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup
INFO: Sending test message to fcaccam@example.com...
ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33)
ERROR: Failed: CONNECT_FAILED(33)
View 1 Replies
View Related
Aug 8, 2012
I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall. [code]
1. How FWSM create xlate table like that? I mean it look like NAT0 for 158.137.21.26 but it doesn't has any nat rule for 158.137.21.26 on firewall.
2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate
3. After clear xlate global 158.137.21.26, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.
View 1 Replies
View Related
Sep 27, 2012
Cisco still doesn't provide failover (active/standby) between two different types of ASA, right?
[URL]
"The two units in a failover configuration must have the same hardware configuration. They must be the same model, have the same number and types of interfaces, and the same amount of RAM"
View 1 Replies
View Related
Sep 24, 2012
We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
View 3 Replies
View Related
Sep 30, 2012
I have an issue with the LMS 4.0, i added manually the ASA Fws 5520 and 5510, and i see them there, but i cannot see the configuration, inventory and technology details.Telnet is deactivaved in ASA´s, ssh and snmp v3 are enabled.Routers and switches were added without issues.
View 3 Replies
View Related
Oct 14, 2012
I have new ASA 5520 units currently we are using ASA 5510... I have to migrate all the configuration to the new ASA 5520 units....I am wondering is there a possible way to export and import certificates from ASA 5510 to 5520....
how to export or copy all the configurations, plug-ins, certificates from 5510 to 5520.Existing configuration snapshot...CA certificates from third party installed for authentication and identity certificate from Verisign
WebVPN
Anyconnect
Plug-ins
IPSEC tunnels
NAT
View 1 Replies
View Related
Feb 12, 2013
is it possible to configure a webfiltering on ASA 5505,5510,5520 ? So if its possible can you provide us a configuartion template.
View 3 Replies
View Related
Sep 19, 2012
Are the ASA memory DIMMs created for specific models? Would a 1GB 5510 Memory stick work in a 5520?
View 1 Replies
View Related
Jan 3, 2013
Is it possible to import the config of a 5510 to a 5520. Trying to replace two 5510's with 5520's and wondering is there a way import the existing config files for the 5510's into the 5520's?
View 3 Replies
View Related
Jul 5, 2012
How many user accounts i can create to a Cisco ASA box? Say for example a Cisco ASA 5510 or Cisco ASA 5520?
View 5 Replies
View Related
Mar 21, 2011
I deleted an incoming email titled troy from my email inbox by mistake I need to recover this email as it came from my son in bali [URL] edited by moderator: Deleted Email address to prevent Spam
View 1 Replies
View Related
Jun 6, 2012
I have an issue with a Cisco ASA 5520. It seems to block some emails incoming from some recipients. The sender's mail server clearly reports my ASA as cause of the problem (see attached image). Unfortunately I have not the logs about that event and the time frame to close this issue is very narrow.
View 5 Replies
View Related
Oct 14, 2012
I will be configuring port forwarding to a phone system on the network for remote management. I would like to have the ASA send an email alert when a connection has been made to the open port. Is this possible to do and if so how to configure it.
View 1 Replies
View Related
Oct 7, 2012
If asa finds the abnormal behavior, can set up and send email to administrative mailbox?
View 6 Replies
View Related
Jan 16, 2012
when I want to let email to come through the ASA5505 from outside to DMZ and Inside network, are the below command lines correct and good enough?
access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq imap4
access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq pop3
access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq smtp
access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq imap4
access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq pop3
[code]....
Are there any other TCP ports want to be allowed and other command lines need to be added?
View 5 Replies
View Related
Jun 23, 2011
6Jun 24 201118:08:44209.85.213.5458623174.141.xx.xx25Deny TCP (no connection) from 209.85.213.54/58623 to 174.141.xx.xx/25 flags RST on interface outside I am getting this error in my asdm logs whenever I try to send an email with an attachment. Regular email go through fine. If I send a 1mb file it seems to go through after several attempts. If I send a 5mb file it might go through anywhere between 4-15 hours. It doesn't matter where I send from. Sometimes it will say ACK or RST ACK on interface instead of RST. The ASA is running 8.3.1 code. I have tried inspect ESMTP and removed it, tried sysopt connection timewait. I am at a loss.
View 1 Replies
View Related
Jan 10, 2012
I've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22
Inside Interface IP: 10.104.36.4 Mask:255.255.255.0
DMZ IP: 10.100.20.1 Mask:255.255.255.0
SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable
logging list email-alerts message 106100
logging mail email-alerts
logging from-address ASA@xyz.com
logging recipient-address tgw@xyz.com level debugging
View 3 Replies
View Related
Sep 20, 2011
One interace is setup as the management interface on a 1 subnet (which is our main network/domain).
Second interace is setup on a 2 subnet (eventually this will be configured to receive incoming/outgoingmail)
I copied most of the settings from our old firewall for testing purposes. I can ping our old email firewall which on 2 subnet from our main subnet (1) successfully.
The only way I can get a successful ping with the Ironprot is to have the management interface hooked into our main network. We don't want this. We do have Ironport firewall and Webfilter setup similar and working fine.Is there someway I can configure this unit to allow both subnets to talk successfully to each other without having the managment interface connected all the time?
View 1 Replies
View Related
Nov 14, 2011
So here's what I think I should do to give email access only to a segment of addresses of my inside network.
1) Create a network object for 62 machines that will represent my dhcp clients.I plan to use 192.168.0.65-192.168.0.126. So I will use address 192.168.0.64 with netmask 255.255.255.192. Then set DHCP server to service this address range.
2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:
How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?
3) Create an ACL which will Deny my DHCP range to talk to the outside.
4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).
View 1 Replies
View Related
Feb 2, 2013
I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different). Right now anyone sending email to a particular ip address on my firewall can do so. I want to restrict that to two ip address ranges it will accept deliver from. I'm thinking I need two network objects for the two ranges then add to a network object group. Configuring the ACL for delivery using that group if I'm correct about that ?
View 4 Replies
View Related
Jan 14, 2013
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
View 5 Replies
View Related
Nov 1, 2012
I'm running into trouble with one of my l2l ipec vpn between a cisco 5510 and 5520 asa running version 8.2.2.
Our existing l2l vpns are connected fine and working fine. Currently SITE A (10.10.0.0/16) connects to SITE B (10.20.0.0/16). SITE A also connects to SITE C (10.100.8.0/21). These are OK.
What's failing is when I try to connect SITE B to SITE C. The tunnel does come up and phase 1 and 2 complete successfully. However while running: 'packet-tracer input inside icmp 10.20.8.2 8 0 10.100.8.1 detailed' i get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad1c4500, priority=70, domain=encrypt, deny=false
hits=609, user_data=0x0, cs_id=0xad1c2e10, reverse, flags=0x0, protocol=0
src ip=10.20.0.0, mask=255.255.0.0, port=0
dst ip=10.100.8.0, mask=255.255.248.0, port=0, dscp=0x0
I noticed when the tunnel came up, the 10.100.8.0/21 route was not added in the routing table and the cyrpto ACL was not applied on the remote ASA. I added the route manually but cant get the cryto ACL to apply.
More usefull info:
SITE C
object-group network NoNatDMZ-objgrp
network-object 10.10.0.0 255.255.0.0
network-object 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
[Code] ......
View 7 Replies
View Related
Nov 2, 2012
We were using ASA-5520-K9 with ASA-SSM-AIP-20-K9 but recently found some hardware problem in our running ASA. Now cisco want to replace with ASA-5520-K8.
View 1 Replies
View Related
Nov 28, 2011
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
View 2 Replies
View Related