Cisco Firewall :: FWSM 4.0 Email Server Cannot Connect To Email Gateway
Aug 8, 2012
I have a question about NAT behavior on FWSM 4.0. The problem is email server (Company A) cannot connect to email gateway (Company B) on the outside network and it randomly happen. I got this error from server guy "Detail: xlate has blocked the connection between A’s mail gateway and B’s mail gateway". It work fine again after clear xlate on firewall. [code]
1. How FWSM create xlate table like that? I mean it look like NAT0 for 158.137.21.26 but it doesn't has any nat rule for 158.137.21.26 on firewall.
2. What does it mean "connections 24" at the first of line? In the normal time, I only see the connections is 0 like the second line of xlate
3. After clear xlate global 158.137.21.26, the first line of xlate table is gone then email server can connect each other. Does is a bug on FWSM? or This is a normal NAT behavior of FWSM.
1. my email going out is working along with internal, but inbound email is not working. My barracuda email filter is 192.168.1.107 and my exchange 2007 is 192.168.1.222 along with this OWA does not work.
2. Terminal Services does not work when I try from the home pc in I get server not available or disconnected
Below is my congig
ASA Version 8.3(1)!hostname wsigatewaydomain-name wsystems.comenable password yVSkMxWRc/S396FB encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 nameif outside security-level 0 ip address 64.XXX.XXX.XXX 255.XXX.XXX.XXXinterface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.0.0!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 [Code]....
I deleted an incoming email titled troy from my email inbox by mistake I need to recover this email as it came from my son in bali [URL] edited by moderator: Deleted Email address to prevent Spam
I'm hosting my email on an Exchange Server 2003 box and have my laptop (Vista Ultimate 32 bit) setup to connect to the exchange server for my email. This works fine through a LinkSys RV042 in one location and a LinkSys WRT54GC in another, but fails through the DIR-615 B2 (2.24 firmware) at home. I'm guessing it's blocking something needed for the MAPI connection.
Up to this point, all the computers on the network accessed the e-mail server via the Windows name of the PC running the e-mail server. However, one of the PCs will need to access e-mail from the WAN soon as opposed to the LAN, so I switched the server name in Thunderbird (e-mail client) to the actually fully qualified domain name of the server (registered at NO-IP, which redirects to the e-mail server at home).
The problem I am running into is that all the requests sent for IMAP or SMTP are being blocked by the router. That's even though I added port forwarding rules for them. The logs show messages similar to the following:
"Blocked incoming TCP connection request from 216.168.101.68:51291 to 216.168.101.68:143"
It doesn't make a difference if I change the endpoint filtering to "Endpoint Independent" either. Any thoughts of what else I can try? DMZ is not an option.
I've recently purchased a domain name from GoDaddy, and I'm having trouble setting up my server, which is running Windows Server 2003, to run email using the domain name. Before purchasing, I was using a free domain from DynDNS and it worked using it as an domain address. I'm wondering if maybe I have to set up the DNS on GoDaddy to foward the email protocol to my server.
Do I create an SMTP Network Object and send TCP traffic throught NAT?
Or do I go to the ASDM's Configuration/Firewall, choose Public Servers, and choose Private Interface=inside, Public Interface=outside, set the private/public IPs, and choose SMTP as the service? This seems much simpler, but is it the correct way to do it?
I am using ASDM 6.4(5) and would like to use that versus the CLI.
One of my customers uses Comcast email and all of a sudden couldn't send messages the other day, telling me it was giving her an error. She said that she reset her router, and the email started working again.When I finally got over there to check it out, the email had started experiencing problems again. The error she was having was Error 550: Message Rejected (when trying to send email). There didn't appear to be any issues with her internet connection, and she wasn't having issues connecting to the email server, it was simply rejecting her messages.
I told her that she would have to contact Comcast, as there was really nothing I could do to fix their email server returning an error. She wasn't too happy, and remained convinced that her router had something to do with it. It's a Netgear WNDR3700 or WNDR3800 that I setup for her last year, it's a fine router.Has anyone ever had a Comcast email server randomly start rejecting messages? I noticed that her outgoing email was set to use port 587 which seems like a nonstandard port and also no authentication, but I have no idea what the Comcast email settings are supposed to be.
Just installed a RV042 with dual wan connections. Would like to make the WAN 2 (new cable modem as well) the primary connection over WAN1 (DSL), however whenever I switch from WAN1 to WAN2 in Smark Link set up, our email server will not send mail out, even though nothing is blocking the connection.
I have an issue with a Cisco ASA 5520. It seems to block some emails incoming from some recipients. The sender's mail server clearly reports my ASA as cause of the problem (see attached image). Unfortunately I have not the logs about that event and the time frame to close this issue is very narrow.
I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
Can receive email but cannot connect to the Internet, my user can get to all shared files on the network and get emails through exchange but cannot browse the internetWe turned off the firewall and checked DNS and the IP. It says the local area connection is connected. We added IE to the exceptions tab in firewall.
I work in a two-person office that uses Comcast as their ISP. All of a sudden neither of us can't access our email via Outlook 2007 using hostmonster's servers. I was also unable to ping their IP Address from the command prompt though I could ping any other web site I tried successfully. Comcast says they are not blocking it. When I went home where I use Comcast I was able to access my email. I removed Webroot's security software which did not work. Windows Firewall is now being used.
I will be configuring port forwarding to a phone system on the network for remote management. I would like to have the ASA send an email alert when a connection has been made to the open port. Is this possible to do and if so how to configure it.
I use ASA 5510 and I would like to log VPN traffic ( for example, as soon as a remote user try to connect to the asa). I would like this log be send to a specific mail address. I already configure Email Logging for severity ( level 3) and it works well.
How to setup this Nat on an ASA 5520 running 8.3.2 code? I know this must be possible as I can do the same thing on my Check Point with no issues. I need to Nat two dmz mail servers to one public mx record. I will have an F5 to load balance inbound and outbound traffic from the mail servers. So I need to Nat two private IP’s to one public.
I am trying to setup email alert on our ASA 5520 so that i can receive emails to my exchange account below is the configuration [code] The smtp server is in our internal network.first i am not able to ping 172.17.1.12 as ping is blocked.i did this confgi like two days before..but ca see alerts and error messages through asdm but no mail is coming in.
6Jun 24 201118:08:44209.85.213.5458623174.141.xx.xx25Deny TCP (no connection) from 209.85.213.54/58623 to 174.141.xx.xx/25 flags RST on interface outside I am getting this error in my asdm logs whenever I try to send an email with an attachment. Regular email go through fine. If I send a 1mb file it seems to go through after several attempts. If I send a 5mb file it might go through anywhere between 4-15 hours. It doesn't matter where I send from. Sometimes it will say ACK or RST ACK on interface instead of RST. The ASA is running 8.3.1 code. I have tried inspect ESMTP and removed it, tried sysopt connection timewait. I am at a loss.
I've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22 Inside Interface IP: 10.104.36.4 Mask:255.255.255.0 DMZ IP: 10.100.20.1 Mask:255.255.255.0 SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable logging list email-alerts message 106100 logging mail email-alerts logging from-address ASA@xyz.com logging recipient-address tgw@xyz.com level debugging
One interace is setup as the management interface on a 1 subnet (which is our main network/domain). Second interace is setup on a 2 subnet (eventually this will be configured to receive incoming/outgoingmail)
I copied most of the settings from our old firewall for testing purposes. I can ping our old email firewall which on 2 subnet from our main subnet (1) successfully.
The only way I can get a successful ping with the Ironprot is to have the management interface hooked into our main network. We don't want this. We do have Ironport firewall and Webfilter setup similar and working fine.Is there someway I can configure this unit to allow both subnets to talk successfully to each other without having the managment interface connected all the time?
So here's what I think I should do to give email access only to a segment of addresses of my inside network.
1) Create a network object for 62 machines that will represent my dhcp clients.I plan to use 192.168.0.65-192.168.0.126. So I will use address 192.168.0.64 with netmask 255.255.255.192. Then set DHCP server to service this address range.
2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:
How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?
3) Create an ACL which will Deny my DHCP range to talk to the outside.
4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. [code]
I have a Cisco asa 5510. I am doing attack a my firewall, using n map. I am seeing in the log the attack but i like that firewall send only alarm of attack by email . I have active email with warning and i received very much email.
I observed that graph show attack, but not ip of attacker, is possible that Cisco asa show the ip too ? The log show scanning with n map but not shunning IP and not send alarm. How i can send alarm ? The graph no show ip, it's possible show it.
I am in the process of switching firewalls. Currently I have a Sonic Firewall inplace. I have been tasked to switch the firewall out with a cisco asa firewall 5510. The sonic firewall currently allows email traffic, web traffic, and dns traffic. When I use the current config below on the asa I am unable to receive email from the outside network. I can send and browse websites but I cannot receive email.
ASA Version 9.1(1) ! hostname ciscoasa enable password kdkfdjdjflkadjdsfj
I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different). Right now anyone sending email to a particular ip address on my firewall can do so. I want to restrict that to two ip address ranges it will accept deliver from. I'm thinking I need two network objects for the two ranges then add to a network object group. Configuring the ACL for delivery using that group if I'm correct about that ?
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
I have a issue that i am at a loss as how to solve it. I have an ASA 5505 as my firewall. I have users from other companies who visit from time to time and are unable to use their outlook email to send messages. They can however receive messages without a problem. I also have a situation where users who use windows live to access gmail are unable to send messages.
I have narrowed it down to the fact that these uses are using ssl/tls to send the mails. I did some research and found out about the inspect esmtp setting in the ASA. I have disabled it and i still have to problem. I have also removed all outbound deny statements and still no luck.
Of note is that i can send emails without attachments. They take a long time to go out ( from minutes to hours) but eventually they do. Emails with attachments of even 10k do not go at all.
I was running image 8.2.3 and i downgraded to 8.0.5...still did not work...i upgraded to 8.4.3...still did not work. I am now back at 8.2.3.
My Firewall config is attached. I am at my wits end as to what else to try. The company has not renewed support for the device so i am on my own here!
I am trying to use the built in feature of Cisco ASA 5510 smart call home feature with the purpose of automatic backup creation by email. I found the configuration [URL]. I already configured the said instructions but when I send a test email it says it cannot contact the email server. Below is the error that I am getting from our ASA. I am new to firewall.
OGI-MNL-ASA-FW0# call-home test profile ASA_Config_Backup INFO: Sending test message to fcaccam@example.com... ERROR: Connecting to SMTP server xxx.xx.xxx.xx failed: CONNECT_FAILED(33) ERROR: Failed: CONNECT_FAILED(33)
