Cisco Firewall :: Setting Up ASA 5510 Cannot Get SMTP To Come In

Mar 21, 2013

I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
 
Here it is:
  
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0

[Code]......

View 1 Replies


ADVERTISEMENT

Cisco Firewall :: ASA 5510 - Setting Up SMTP Port Block?

Mar 5, 2012

how to go about setting up the ASA to block any SMTP traffic outbound except for our Exchange Server. This is in relationship to a SpamBot issue that blacklisted us. I have an ASA 5510 running version 6.2(5) / 8.2(2) with three ports. DMZ, Inside and the Outside interface. Up till today, I only needed to block outside traffic to our internal network which I used the ASDM to configure a rule on the outside interface for an incoming rule. I am assuming I need to create an outgoing rule on the outside interface; however, just to make sure I understand the terminology/traffic flow, I created the rule with my computer as the source (192.168.0.131) with ALL destination and the service as HTTP. My logic, which seems to fail here, is that any traffic from my computer going outbound would be blocked; however I am still able to browse... That said, if I were to change the source as the Exchange server and the Service Type to SMTP, it would not actually block traffic and therefore not solve our problem.  I even gone as far as permitting traffic from my computer, expanding the hit counter and I see no hits.  So I am no doubt doing this wrong. What I do know, is when I first created the rule, a second rule was automatically created (Implicit rule) that deny all sources and blocked all HTTP traffic until I changed it to Permit?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 ACL For Blocking Outbound SMTP

Jan 30, 2013

I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
 
-access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange
 
-access-list 102 extended deny tcp any eq smtp any eq smtp
 
-access-list 102 extended permit ip any any
 
-access-group 102 in interface inside
 
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.

View 1 Replies View Related

Cisco Firewall :: Accessing SMTP From Outside Network Through ASA 5510?

Oct 11, 2012

I have an issue with my mail server(SME Server) which is behind a Cisco ASA 5500(firewall)  problem is that if one leaves my network they can receive but can not  send email via my SMTP also internal people can only send if they use  the IP address of the server rather than the domain [URL]

here is my layout
 
ISP - ASA 5510 - LAN (includes mailserver)

View 7 Replies View Related

Cisco Firewall :: Add IP Address For SMTP Services ASA 5510

Nov 28, 2012

We have hosted spam filter service with 3rd party vendor.  My vendor is switching to different spamming services and I need to add ip address lets say 44.33.454.32 to the list of allowed system that can connect to my smtp service.  I am going over my firewall 5510 configs and I think I need add the entry like this: “access-list outside-to-inside extended permit tcp object-group obj-44.33.454.32 interface outside eq smtp”. [code]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 Ways To Allow Outside Adapter To Permit Smtp

Oct 25, 2012

We have a 5510 (8.2) with the following 4 interfaces (security-levels) inside (95), outside(0), dmz(25), and test (95).  The dmz network is 10.10.10.0/24 and the outside interface is 40.133.84.69.We have run into a situation where a dmz hosted iRedMail server running postfix (10.10.10.51) is relaying mail which in some cases points back to us at 40.133.84.69 and into our Exchange server.  In these cases in the dmz server's mail logs we see postfix timeout trying to connect to smtp at 40.133.84.69.  When I try to telnet from 10.10.10.51 to the outside interface on port 25 it times out.We've tried different ways to allow the outside adapter to permit smtp (or any service!) from 10.10.10.51 but we're left scratching out heads.

View 1 Replies View Related

Cisco Firewall :: ASA-5510 Dropping Outbound SMTP Traffic?

Aug 21, 2011

A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
  
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
 
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:   JWillar@email.com on 8/21/2011 9:49 AM  Could not deliver the message in the time limit specified. Please retry or contact your administrator.  <630.SM.Local #4.4.7>
 
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
 
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.

View 13 Replies View Related

Cisco Firewall :: 5510 Single Outside Public / Can PAT Out And NAT SMTP Server Back

Jul 30, 2012

I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...

1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
 
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
 
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8

View 1 Replies View Related

Cisco Firewall :: 5510 - Outlook Port Only Permit (POP3 995 / SMTP 587) With TLS Encryption

Jun 3, 2012

In Cisco ASA 5510 , outlook port only permit ( pop3 995/smtp :587) with TLS encryption. How we can do it thru ASDM .

View 1 Replies View Related

Cisco Firewall :: 5510 How To Configure Local LAN SMTP Traffic Sending Through New Leased Line

Jun 11, 2012

We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow  SMTP traffic to pass through  from this interface.
 
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).

View 2 Replies View Related

Cisco Firewall :: VPN Setting Keep Dropping On ASA 5510?

Jan 23, 2012

I have a Cisco ASA 5510 firewall, my problem is that when the first VPN connections is established everything is good.  But when that connections is cancel or terminated due to non connectivity.  No one can connect to that firewall through that VPN unless that firewall is restarted.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Setting Up ACL To Permit Access Only To The Nat Subnet?

Apr 9, 2012

setting up an ACL on my ASA 5510 to permit access only to the Nat subnet from inside to the outside interface. This firewall is setup for the DR solution in the production network. I am applying following acl in the inbound direction on the inside interface.
 
permit ip any "Nat_subnet"
 
After appliying this acl to inside interface I observed that I can ping to the destinations in NAT'ed subnet but unable to ssh to the servers. Following is the summary of my configuration.

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.135.241 255.255.255.248 standby 192.168.135.242

[code].....

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Setting Up Active And Standby Firewalls

Oct 14, 2011

I have a 5510 ASA and have been given another an told to make them active and standby.  Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level.  I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside?  Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work. 

View 4 Replies View Related

Cisco Firewall :: Unable To Authenticate With Common Setting With ASA 5510 Running 8.0

Nov 11, 2008

I have allways configured and run LDAP Server Groups authenticating to Active Directory Domain Controllers using LDAP, never an issue, until I hit a Domain Controller running on a Windows Server 2008. I have been unable to authenticate with the common setting with an ASA5510 running 8.0.1.

View 4 Replies View Related

Cisco WAN :: ASA 5510 - Mail Server Error 421 SMTP Connection Went Away

Oct 11, 2011

I've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).I use these configuration :

static (DMZ,LAN) 194.x.x.65 10.x.x.2 netmask 255.255.255.255 static (DMZ,LAN) 194.x.x.66 10.x.x.3 netmask 255.255.255.255 static (DMZ,WAN) 194.x.x.65 10.x.x.2 netmask 255.255.255.255 static (DMZ,WAN) 194.x.x.66 10.x.x.3 netmask 255.255.255.255 static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0
 
Some Users received in there mailbox a system administer error message :

Object : Impossible to deliver : test Your message could not be deliver to one or more of its recipients: 421 SMTP connection went away!
 
When they try to re sent it some times later, message is sent without problem.

View 4 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP

Mar 14, 2013

IOS Firewall (ZBF) Limit SMTP connections from same IP
 
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
 
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
 
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
 
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .

View 8 Replies View Related

Cisco Firewall :: Monitoring SMTP On An ASA 5500?

Mar 5, 2012

I have an ASA 5500 Firewall. I need to figure out how to log all events using Port 25 to determine if there are any rogue devices on our network. I was trying to figure out how to do this via the Real-Time Monitoring (filter) but have had no success.

View 1 Replies View Related

Cisco Firewall :: ASA5505 - ACL For SMTP Inbound

Dec 29, 2011

I am trying to configure my ASA5505 to allow SMTP relay and the ACLStatic I created is not working.

View 1 Replies View Related

Cisco Firewall :: ASA 8.4 / NAT SMTP Traffic From Outside To Inside?

Dec 25, 2012

Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain.  If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.
  
ASA Version 8.4(3)!hostname ciscoasaenable password cE8UUNd encryptedpasswd 2KFQ.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.218 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network server1_smtphost 192.168.1.10object network server1_pop3host 192.168.1.10access-list outside_access_in extended

[code]....
 
I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 4.2.2.2 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.But I can't Telnet from an outside location using: Telnet 95.*.*.218 25 Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?

View 5 Replies View Related

Cisco Firewall :: ASA 8.4 - Static NAT With Outbound SMTP

Mar 30, 2011

Below is the interesting part of my config.  I have static NAT configured and working inbound for the Exchange Server and the Barracuda, however outbound traffic from those hosts comes out as the interface IP.  Thoughts?  I've tried a number of things (outside, inside), etc.
 
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DSN-EXCH01
host 10.250.231.51
object network MAIL-IN
host 10.250.231.50(code)

View 3 Replies View Related

Cisco Firewall :: ASA 5505 For SMTP Access?

Oct 29, 2012

I need to move the email traffic to a backup circuit.  Below is my config.  I have tried for email access but to no avail. 

asa5505# sho run
: Saved
:
ASA Version 8.2(2)
!
hostname asa5505

[code]........

View 9 Replies View Related

Cisco Firewall :: How To Log Incoming Traffic (SMTP) On PIX 515E

Mar 6, 2013

I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.

View 1 Replies View Related

Cisco Firewall :: ASA5510 / IPS SSM Could Not Connect To SMTP Host

Sep 3, 2011

We have an ASA5510 with the IPS ASA-SSM-10 module installed. All is working well except event notification. When sending a test email from the SSM IPS, we get the error "could not connect to SMTP host". The Exchange SMTP host does allow traffic from the IPS and ASA. I can ping to the SMTP host by IP and name. What am I missing here?

View 3 Replies View Related

Cisco Firewall :: Unable To Open SMTP Session Through ASA 5512-X?

Sep 20, 2012

Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.
 
NAT and access rules are as follows:
  
object network mail
host 192.168.101.1
description Mail relay
access-list inbound extended permit ip any host 200.225.117.1

[code]....
 
EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?

View 3 Replies View Related

Cisco Firewall :: ASA5505 (8.4.2) How To Access Inside SBS-Server On SMTP / RDP

Oct 25, 2011

Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
 
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
 
[OK] object network SBS-HTTPS
 object network SBS-HTTPS
[ERROR] nat (inside,outside) static interface service tcp https https
 NAT unable to reserve ports.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 Blocks Outgoing Smtp (port 25)

Nov 25, 2012

i cannot send emails to outside, i have an access rule on interface inside permit source: inside  destination: any servic: tcp/smtp and when i make paket tracer  it shows me that the packet is dropped but i cant see through which rule!!
 
ASA version: 8.4(3)
ASDM version 6.4(7)

View 2 Replies View Related

Cisco Firewall :: ASA5510 SMTP Traffic - Host Unreachable

Jul 8, 2012

Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
 
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
 
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 [code]...
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
 
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.

View 19 Replies View Related

Cisco Firewall :: ASA5510 - Giving Error 421 SMTP And Connection Lost

Oct 10, 2011

I 've got some problem with my Mail Server since I've migrated to an ASA5510.Actually the server is in a DMZ with a private Ip ( 10.x.x.2) and it is translated to a Public IP ( 194.x.x.65).Some Users received in there mailbox a system administor error message :Object : Impossible to deliver : testYour message could not be deliver to one or more of its recipients: 421 SMTP connection went away!When they try to re sent it some times later, message is sent whithout problem.

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Doesn't Allow Local Provider SMTP Traffic

Aug 7, 2011

We are using several Cisco ASA 5505 with the 8.05 OS on it. The problem is that the SMTP traffic of my ISP(Telenet) isn't passtrough the ASA, I'm using outlook 2010. Before there was also a problem with our local exchange server but I solved this by disabling ESMTP checking in the policies, but it didn't worked for my local ISP.

View 4 Replies View Related

Cisco Firewall :: ASA5505 8.4.2 NAT To Forward SMTP And RDP Traffic To Internal Host

Nov 26, 2011

I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
 
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?

View 19 Replies View Related

Cisco VPN :: Setting Up VPN Through 2 ASA 5510 Firewalls

Jan 10, 2012

'm trying to set up a vpn connection through two ASA 5510 firewalls.My network is as follows:
 
PC | FW A | Internet |FW B| - lan |
 
I am trying to achieve the following:
 
PC | FW A | Internet |FW B| - | DMZ | - | FW C| - | lan |
 
However, I am not sure where the VPNs will need to terminate and how I will achieve this taking into account the WAN IPs.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved