ASA: SMTP Outbound Blocked

Similar Messages

• Saving Drafts on IMAP account that's forced to use SMTP outbound server

  Hi!
  Occasionally, I'll get messages from OSX Mail telling me that it can't save a copy of a draft on an IMAP address, and when I send said message, it never shows up in my sent items folder.
  Due to limitations with my ISP, I cannot use the IMAP outbound server (they block 25, and my IMAP's outbound port only operates on 25.). Instead, I use an SMTP server that I have for another account.
  Any thoughts as to why A.) It's not saving in the sent folder, B.) I cannot save drafts, and C.) This only happens occasionally?
  -Jonathan

  Jonathan,
  Typically, the choice of SMTP used as Outgoing Server, does not have to match the account of the From address, and the SMTP provided by your ISP would not prevent Mail from saving the message from the IMAP account in the proper Sent mailbox. However, with IMAP accounts, it is normal and necessary to choose a folder on the IMAP server, and tell Mail to use that folder for the Sent message (via the aforementioned "Use This Mailbox For" command), if the selection in Mail Preferences/Accounts/Mailbox Behaviors is to save the Sent messages on the Server. Without this choice, Mail should create a Sent mailbox that will reside on your Mac's hard drive. There is a similar choice for the Drafts.
  In the Sidebar to the Mail window, does your Inbox for the IMAP account have any small black triangle beside it, or at the bottom of the Sidebar, are there any folders you have not created, or perhaps an Icon in the form of a sphere with "@" in its center?
  More info, please, and see:
  http://docs.info.apple.com/article.html?path=Mail/2.0/en/ml1134.html
  and
  http://docs.info.apple.com/article.html?path=Mail/2.0/en/ml800.html
  Ernie

• Configurin​g a home server to send outgoing email (Port 25 outbound blocked)

  Hello,
  I am trying to set up a home email server on my Verizon DSL connection, but I believe port 25 outbound is blocked.  How do I fix this problem?  Do I need to configure my home email server to connect to outgoing.verizon.net on port 587?  If so, will I need to use Verizon login credentials to establish that connection?
  Just to clarify - I am trying to set up a home email SERVER, not an email client.  I am using Postfix as my MTA and need it to be able to connect to another MTA (perhaps outgoing.verizon.net?) so that it can transfer emails from my server to the outside world.
  If this is not the way to correct the problem I'm having, can you please let me know how?  Thanks.
  -allmessedup

  25 is blocked across most servers these days.  Verizon only allows it within there network to their mail SMTP server. 
  In general mail servers no longer use smtp but ESMTP
  Recommended for ESMTP is using 465 which also requires setting ssl security on.  And incoming as 995 and ssl.  Or using 587 and 110.

• SMTP IPS block problem

  I setup ID 3110 (suspicious mail attachment)to deny attacker inline thinking that nobody needs to send those type of attachments and it would cut down on virus's. Worked fine until today when someone internal tried to send one and the IPS blocked my internal smtp server from going to the internet. Is there a way of setting up execptions in the IPS so that my internal IP range is allways allowed access? Or is there a better way of doing this?
  Thanks for the help.

  We've seen false positives with that signature, but YMMV...they've modified it recently so maybe it's fixed.
  anyway, to answer your question...there are two ways to handle this.
  1) Use an event filter to subtract the action from the alarm. The mail server source ip would part of the criteria in the filter. You might want to consider creating an event variable for your entire DMZ and creating an event filter that subtracts any of the "deny" actions if DMZ=source. See Event Action Rules->Even Action Filters in the IDM.
  2) add the source ip or network to the "never block addresses". See Blocking->Blocking Properties in the IDM. I don't believe this works for actions that are "deny"...you'll need an event filter for those.

• IPS (7.0(7)E4) on ASA-SSM-10 block DNS without alerts

  Hi All
  I have IPS module:
    Build Version: 1.1 - 7.0(7)E4
    ASA 5500 Series Security Services Module-10
    Signature Update      S652.0    2012-06-20
  ASDM log deduces events :
  4    Jun 26 2012    18:21:47        193.227.240.38    53    sd-outside    65347    IPS requested to drop UDP packet from outside:193.227.240.38/53 to dmz1:sd-outside/65347
  But IPS don't deduces alerts - It does not explain why blocks these packages. DNS inquiries are blocked only from one network.
  ! ------------------------------       ! Current configuration last modified Tue Jun 26 18:01:58 2012! ------------------------------! Version 7.0(7)! Host:                                         !     Realm Keys          key1.0                ! Signature Definition:                         !     Signature Update    S652.0   2012-06-20   ! ------------------------------service interfaceexit! ------------------------------service authenticationexit! ------------------------------service event-action-rules rules0filters edit PROXY attacker-address-range 192.168.72.7actions-to-remove deny-attacker-inline|deny-packet-inlineos-relevance relevant|not-relevant|unknownexitfilters edit Q00000 signature-id-range 5684attacker-address-range 95.190.8.0-95.190.8.255actions-to-remove deny-attacker-inline|deny-packet-inlineos-relevance relevant|not-relevant|unknownexitfilters edit Q00001 signature-id-range 5684victim-address-range 95.190.8.0-95.190.8.255actions-to-remove deny-attacker-inline|deny-packet-inlineos-relevance relevant|not-relevant|unknownexitfilters edit USERS signature-id-range 1102,5237,2152,5684,2100,5581,3030,6061,3030,11020,5403,5474,20020,60000-60100attacker-address-range 192.168.0.0-192.168.255.255actions-to-remove deny-attacker-inline|deny-packet-inlineos-relevance relevant|not-relevant|unknownexitfilters edit USERS2 signature-id-range 5575-5591,2151,21619,2150-2151attacker-address-range 192.168.0.0-192.168.255.255victim-address-range 192.168.0.0-192.168.255.255actions-to-remove deny-attacker-inline|deny-packet-inlineos-relevance relevant|not-relevant|unknownexitfilters move PROXY begin filters move USERS after PROXYfilters move Q00000 after USERSfilters move Q00001 after Q00000filters move USERS2 after Q00001generalglobal-deny-timeout 14400exittarget-value low target-address 192.168.0.0-192.168.255.255target-value medium target-address 192.168.1.0-192.168.1.255,192.168.64.0-192.168.64.255,192.168.3.0-192.168.3.49,192.168.65.128-192.168.65.255target-value high target-address 192.168.72.2-192.168.72.254,192.168.66.0-192.168.67.255,192.168.2.0-192.168.2.255target-value mission-critical target-address 192.168.65.0-192.168.65.127os-identificationcalc-arr-for-ip-range 192.168.0.0-192.168.255.255exitexit! ------------------------------service hostnetwork-settingshost-ip 192.168.64.194/24,192.168.64.1host-name gw1-ipstelnet-option disabledaccess-list 192.168.0.0/16 dns-primary-server enabledaddress 192.168.66.2exitdns-secondary-server enabledaddress 192.168.72.19exitdns-tertiary-server enabledaddress 192.168.72.20exitexittime-zone-settingsoffset 360standard-time-zone-name GMT+06:00exitntp-option enabled-ntp-unauthenticatedntp-server 192.168.64.1exitsummertime-option disabledauto-upgradecisco-server enabledschedule-option calendar-scheduletimes-of-day 04:20:00 days-of-week sunday days-of-week tuesday days-of-week thursday days-of-week saturday exituser-name dimaonlinecisco-url https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.plexitexitexit! ------------------------------service loggerexit! ------------------------------service network-accessgeneralenable-acl-logging truenever-block-networks 192.168.0.0/16 exitexit! ------------------------------service signature-definition sig0signatures 60000 0 alert-severity lowsig-fidelity-rating 50sig-descriptionsig-name XPress Administrator Servicesig-string-info Access to Administrator Servicesig-comment External user open Adminsig-creation-date 20120622exitengine service-httpmax-field-sizesspecify-max-uri-field-length noexitregexspecify-uri-regex yesuri-regex [Aa]dministrator[Ss]ervice[.]asmxexitexitservice-ports 80exitevent-counterevent-count 1event-count-key Axxxspecify-alert-interval noexitalert-frequencysummary-mode summarizesummary-interval 15summary-key Axxxspecify-global-summary-threshold noexitexitvulnerable-os windows-nt-2k-xpspecify-mars-category yesmars-category Info/Misc/Loginexitexitsignatures 60000 1 alert-severity lowsig-fidelity-rating 50sig-descriptionsig-name Xpress Bridgesig-string-info Service URLsig-comment External Access to bridgesig-creation-date 20120625exitengine service-httpregex   specify-uri-regex yesuri-regex [Bb]ridge[/][Ss]ervice[.]asmxexitexitservice-ports 80exitevent-counterevent-count 1event-count-key Axxxspecify-alert-interval noexitalert-frequencysummary-mode summarizesummary-interval 15summary-key Axxxspecify-global-summary-threshold noexitexitstatusenabled trueexitspecify-mars-category yesmars-category Info/Misc/Loginexit    exitsignatures 60001 0 alert-severity highsig-fidelity-rating 90sig-descriptionsig-name FreePBX Display Extentionssig-string-info Acces to Extentions settingssig-comment Weak Password Detectionsig-creation-date 20120622exitengine service-httpevent-action produce-alert|deny-attacker-inlineregexspecify-uri-regex yesuri-regex [/]admin[/]config[.]phpexitspecify-arg-name-regex yesarg-name-regex displayspecify-arg-value-regex yesarg-value-regex (extensions)|(trunks)exitexitexitservice-ports 80exitevent-counterevent-count 1event-count-key Axxxspecify-alert-interval noexitalert-frequencysummary-mode summarizesummary-interval 15summary-key Axxxspecify-global-summary-threshold noexitexitexitexit! ------------------------------service ssh-known-hostsexit! ------------------------------service trusted-certificatesexit! ------------------------------service web-serverenable-tls falseport 80exit! ------------------------------service anomaly-detection ad0internal-zoneenabled trueip-address-range 192.168.0.0-192.168.255.255tcpenabled trueexitudpenabled trueexitotherenabled trueexitexitillegal-zoneenabled falsetcpenabled falseexitudpenabled falseexitotherenabled falseexitexitignoresource-ip-address-range 192.168.0.0-192.168.255.255exitexit! ------------------------------service external-product-interfaceexit! ------------------------------service health-monitorsignature-update-policyenable falseexitlicense-expiration-policyenable falseexitevent-retrieval-policyenable falseexitexit    ! ------------------------------service global-correlationexit! ------------------------------service aaaexit! ------------------------------service analysis-enginevirtual-sensor vs0 physical-interface GigabitEthernet0/1 exitexit

  I set the policy for generation of alerts for all signatures:
  Allerts in ASDM:
  But not alerts into IPS:

• VALUABLE HINT: How to send .Mac mail when SMTP is blocked

  See: http://www.macosxhints.com/article.php?story=20060113084246213
  Read ALL the comments...the info buried in them explains using SSL and ports and how to protect your .Mac account whether POP or IMAP.
  Help keep your dotmac password from being compromised.
  If you run your .Mac Mail through the Mail app, use the alternate port for the smtp server: 587 and click SSL.
  Go into Prefs and Advanced tab and click SSL to use the IMAP secure port: 993.
  READ THE HINT AND ALL COMMENTS. You will be glad you did.

  I configured the IDM from Configure--> servers -->Edit Server Settings page ,Email Template, as filled form:
  Default SMTP Server      192.168.22.222
       Use default
  Default SMTP Port      25
       Use default (25)
  SMTP Port      25
  SMTP Authentication Enabled      
       Use default (true)
       Authentication Enabled
  User Id      idmmail
  Password      *****
  Default SMTP Enable SSL      
       Use default (false)
       SSL Enabled
       Disable Certificate Authentication
  When I run the "ALL USERS" report, I select the 'Email Report' and filled the mail address. But after running the report , I can't receive email and no error messages displayed.
  Could you tell me how to do I can debug or trace the messages if the IDM sent or not sent mail , if it connects to mail server ?
  Thanks.

• ASA: Authenticating Outbound Connections - Authentication-Gateway?

  I use an ASA 5520 as I-Net Edge for 3 different groups of Users. Currently i control access in the internet segment for each groups by static dhcp leases based on MAC-Adresses.
  As this is not the most secure approach i am looking for a different way to control access within my internet segment.
  I am thinking of authenticating the users with username and password prior to establishing connections over the ASA. I think this can be done somehow with the cut-trough proxy feature. Unfortunately i have no ACS Server available so the cut-through approach is not possible.
  Has anyone done a configuration setup where users get authenticated based on username/password prior to allowing a connection through the ASA so far?
  A similar functionality is often seen on public hotspots in airports where you have to authenticate over a webpage before internet usage.
  Is there an open source software capable of this authentication method and can you configure it in conjunction with an ASA? Maybe using the WCCP Feature?
  This might be a little Offtopic but hopefully someone has already experience with this kind of setup.
  Thanks for reading.
  Roble

  yeah i cant believe it either! http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/access_wccp.html#wp1105267
  The following WCCPv2 features are not supported for the ASA:
  •Multiple routers in a service group.
  •Multicast WCCP.
  •The Layer 2 redirect method.
  •WCCP source address spoofing.
  •WAAS devices.

• SMTP traffic blocked by ISP how do you handle it ?

  I have recently installed the OCFO 10.1.3.07. We were using POP account previously and i had 2 account created in outlook (one using my SMTP server as outgoing mail server and the 2nd using the user ISP SMTP server) to let users send emails from home by letting them select the account in outlook before sending their mail without having them to configure anything.
  I am now stuck here. I tried replicating the same kind of setup using OCFO and a secondary IMAP4 account but it doesnt work. The mail stays in the outbox. The only way to send from their homes is to run the configuration wizard and change the SMTP server adress.
  How do you handle this? am i taking the wrong approach here?
  Thanks for any inputs.

  For anyone who might be interested,
  I have submited a SR to oracle support and the workaround to this issue is to Create a 2nd mail profile and configure the OCFO with a different SMTP server within that profile.

• Cisco ASA 5505 Blocking LAN Domain Queries

  Hi guys,
  Okay my scenario, datacentre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.
  1: they are all connected to the inside VLAN directly via the ASA's switch ports.
  2: the are all in the same 255.255.255.0 subnet including the ASA inside interface
  3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking
  I have posted the error below and my config, its strange its only affecting the new server 2008 machines and im hoping you can offer suggestions.
  Errors:
  2      Dec 08 2012      12:02:41      106007      10.50.15.117      55068      DNS            Deny inbound UDP from 10.50.15.117/55068 to 10.50.15.5/53 due to DNS Query
  Result of the command: "show run"
  : Saved
  ASA Version 8.2(1)
  hostname xxxxx-ASA5505
  domain-name xxx.local
  enable password
  passwd
  names
  name 10.50.17.0 Hobart description Hobart
  name 10.50.16.0 Launceston description Launceston
  name 10.50.18.0 Burnie description Burnie
  name 10.50.24.0 Devonport description Devonport
  name 10.50.23.0 burniewilmot description burniewilmot
  name 10.50.35.0 Warrnamboolmain description warrnamboolmain
  name 10.50.30.0 hamilton description hamilton
  name 10.50.20.0 Portland description Portland
  name 10.50.31.0 Camperdown description Camperdown
  name 10.50.32.0 wboolsh description wboolsh
  name 10.50.33.0 wblthy description wblthy
  dns-guard
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.50.15.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 111.223.228.154 255.255.255.248
  interface Vlan5
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address dhcp
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone EST 10
  clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
  dns server-group DefaultDNS
  domain-name xxx.local
  object-group service IpPrinting tcp
  port-object eq 9100
  object-group icmp-type icmp
  icmp-object alternate-address
  icmp-object conversion-error
  icmp-object echo
  icmp-object echo-reply
  icmp-object information-reply
  icmp-object information-request
  icmp-object mask-reply
  icmp-object mask-request
  icmp-object mobile-redirect
  icmp-object parameter-problem
  icmp-object redirect
  icmp-object router-advertisement
  icmp-object router-solicitation
  icmp-object source-quench
  icmp-object time-exceeded
  icmp-object timestamp-reply
  icmp-object timestamp-request
  icmp-object traceroute
  icmp-object unreachable
  object-group network dns_servers
  network-object host 10.50.15.5
  object-group service domain udp
  port-object eq domain
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit tcp any any eq domain
  access-list inside_access_in extended permit udp any any object-group domain
  access-list outside_access_in extended permit ip any any inactive
  access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
  access-list outside_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq www
  access-list vpnusers_splitTunnelAcl standard permit 111.223.231.120 255.255.255.248
  access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 14.0.0.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip 111.223.231.120 255.255.255.248 111.223.228.152 255.255.255.248
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 111.223.228.152 255.255.255.248
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 14.0.0.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Devonport 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
  access-list outside_1_cryptomap_1 extended permit ip 10.50.15.0 255.255.255.0 Launceston 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Burnie 255.255.255.0
  access-list outside_3_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Hobart 255.255.255.0
  access-list outside_4_cryptomap extended permit ip 10.50.15.0 255.255.255.0 burniewilmot 255.255.255.0
  access-list outside_5_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Warrnamboolmain 255.255.255.0
  access-list outside_6_cryptomap extended permit ip 10.50.15.0 255.255.255.0 hamilton 255.255.255.0
  access-list outside_7_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Portland 255.255.255.0
  access-list outside_8_cryptomap extended permit ip 10.50.15.0 255.255.255.0 Camperdown 255.255.255.0
  access-list outside_9_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wboolsh 255.255.255.0
  access-list outside_10_cryptomap extended permit ip 10.50.15.0 255.255.255.0 wblthy 255.255.255.0
  access-list dmz_access_in extended permit tcp any interface outside eq www inactive
  access-list dmz_access_in extended permit tcp any 111.223.228.152 255.255.255.248 eq smtp
  pager lines 24
  logging enable
  logging asdm warnings
  mtu inside 1300
  mtu outside 1300
  mtu dmz 1500
  ip local pool vpnclient 14.0.0.1-14.0.0.15 mask 255.0.0.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 10.50.15.0 255.255.255.0
  static (outside,inside) tcp 10.50.15.5 www 0.0.0.0 www netmask 255.255.255.255
  static (inside,outside) tcp interface www 10.50.15.5 www netmask 255.255.255.255  dns
  static (inside,outside) tcp interface smtp 10.50.15.5 smtp netmask 255.255.255.255  dns
  static (inside,inside) 10.50.15.0 255.255.255.0 netmask 255.255.255.255
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group dmz_access_in in interface dmz
  route outside 0.0.0.0 0.0.0.0 111.223.228.153 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-reco
  rd DfltAccessPolicy
  aaa authentication enable console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 outside
  http 10.50.15.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
  crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ipsec df-bit clear-df outside
  crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 58.96.86.56
  crypto map outside_map 1 set transform-set esp-des-sha
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map0 1 match address outside_1_cryptomap_1
  crypto map outside_map0 1 set peer 59.167.207.106
  crypto map outside_map0 1 set transform-set ESP-3DES-SHA
  crypto map outside_map0 2 match address outside_2_cryptomap
  crypto map outside_map0 2 set peer 59.167.204.53
  crypto map outside_map0 2 set transform-set ESP-3DES-SHA
  crypto map outside_map0 3 match address outside_3_cryptomap
  crypto map outside_map0 3 set pfs
  crypto map outside_map0 3 set peer 203.45.159.34
  crypto map outside_map0 3 set transform-set ESP-3DES-SHA
  crypto map outside_map0 4 match address outside_4_cryptomap
  crypto map outside_map0 4 set peer 203.45.134.39
  crypto map outside_map0 4 set transform-set ESP-3DES-SHA
  crypto map outside_map0 5 match address outside_5_cryptomap
  crypto map outside_map0 5 set peer 58.96.75.47
  crypto map outside_map0 5 set transform-set ESP-3DES-SHA
  crypto map outside_map0 6 match address outside_6_cryptomap
  crypto map outside_map0 6 set peer 58.96.85.151
  crypto map outside_map0 6 set transform-set ESP-3DES-SHA
  crypto map outside_map0 7 match address outside_7_cryptomap
  crypto map outside_map0 7 set peer 58.96.78.238
  crypto map outside_map0 7 set transform-set ESP-3DES-SHA
  crypto map outside_map0 8 match address outside_8_cryptomap
  crypto map outside_map0 8 set peer 58.96.69.82
  crypto map outside_map0 8 set transform-set ESP-3DES-SHA
  crypto map outside_map0 9 match address outside_9_cryptomap
  crypto map outside_map0 9 set peer 58.96.83.244
  crypto map outside_map0 9 set transform-set ESP-3DES-SHA
  crypto map outside_map0 10 match address outside_10_cryptomap
  crypto map outside_map0 10 set peer 58.96.80.122
  crypto map outside_map0 10 set transform-set ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 2
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 50
  authentication pre-share
  encryption des
  hash sha
  group 1
  lifetime 86400
  crypto isakmp policy 70
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.50.15.50-10.50.15.55 inside
  dhcpd dns 10.50.15.5 interface inside
  no threat-detection basic-threat
  no threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 130.194.10.150
  webvpn
  group-policy xxx internal
  group-policy xxx attributes
  dns-server value 10.50.15.5
  vpn-tunnel-protocol IPSec
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  dhcp-network-scope 14.0.0.0
  vpn-tunnel-protocol IPSec webvpn
  ipv6-address-pools none
  group-policy vpnusers internal
  group-policy vpnusers attributes
  dns-server value 10.50.15.5 139.130.4.4
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpnusers_splitTunnelAcl
  username aspireremote password
  username aspireremote attributes
  service-type remote-access
  username richard.lawes password
  username netscreen password
  tunnel-group DefaultL2LGroup ipsec-attributes
  isakmp keepalive threshold 15 retry 2
  tunnel-group DefaultRAGroup ipsec-attributes
  isakmp keepalive threshold 15 retry 2
  tunnel-group DefaultWEBVPNGroup ipsec-attributes
  isakmp keepalive threshold 15 retry 2
  tunnel-group TunnelGroup1 type remote-access
  tunnel-group TunnelGroup1 general-attributes
  address-pool (outside) vpnclient
  address-pool vpnclient
  default-group-policy GroupPolicy1
  dhcp-server 192.168.0.5
  tunnel-group TunnelGroup1 ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group vpnusers type remote-access
  tunnel-group vpnusers general-attributes
  address-pool vpnclient
  default-group-policy vpnusers
  tunnel-group vpnusers ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group 59.167.207.106 type ipsec-l2l
  tunnel-group 59.167.207.106 ipsec-attributes
  pre-shared-key *
  tunnel-group aspirevpn type remote-access
  tunnel-group aspirevpn general-attributes
  address-pool vpnclient
  default-group-policy xxxvpn
  tunnel-group xxxvpn ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group 59.167.204.53 type ipsec-l2l
  tunnel-group 59.167.204.53 ipsec-attributes
  pre-shared-key *
  tunnel-group 203.45.159.34 type ipsec-l2l
  tunnel-group 203.45.159.34 ipsec-attributes
  pre-shared-key *
  tunnel-group 203.45.134.39 type ipsec-l2l
  tunnel-group 203.45.134.39 ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group 58.96.75.47 type ipsec-l2l
  tunnel-group 58.96.75.47 ipsec-attributes
  pre-shared-key *
  tunnel-group 58.96.85.151 type ipsec-l2l
  tunnel-group 58.96.85.151 ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group 58.96.78.238 type ipsec-l2l
  tunnel-group 58.96.78.238 ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group 58.96.69.82 type ipsec-l2l
  tunnel-group 58.96.69.82 ipsec-attributes
  pre-shared-key *
  tunnel-group 58.96.83.244 type ipsec-l2l
  tunnel-group 58.96.83.244 ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  tunnel-group 58.96.80.122 type ipsec-l2l
  tunnel-group 58.96.80.122 ipsec-attributes
  pre-shared-key *
  isakmp keepalive threshold 15 retry 2
  prompt hostname context

  Hello Richard,
  My first though is why is the ASA receiving this traffic is this is traffic that should not reach the default-gateway.
  Anyway try the following
  same-security-traffic permit intra-interface
  Let me know how it goes
  Julio

• ASA 5520 IP range block or Country IP block

  hi,
  i need help on ASA 5520 and i would like to block countries IP address from the attack, there is any way to block countries ip address or range ip address .
  Thanks,
  Rabih

  I've created a script where you chose an authority by selecting in a menu and it'll give you the configuration to drop into the ASA. 
  https://github.com/in-transit/regional-asa
  You can block or allow a specific region if you want. I'll be upgrading it to do specific countries but now it does authorities like ARIN, RIPE, APNIC, etc.

• Pix501: allow all incoming smtp to one host and all smtp out from one host only

  I have a pix501 and I have a mail server. What I would like to do is ensure that smtp traffic from the web only goes to my mail server and that my mail server is the only machine on my local network that can send to the internet on port 25. This is to secure the possibility of bots on my childrens PCs spamming other users. The mail server has been relay secured for selected PCs only.
  To the pix501; I think the following is what I need, but would like somebody to confirm or correct me:
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  access-list inbound permit tcp any host x.x.x.x eq smtp
  access-list outbound permit tcp host x.x.x.x ant eq smtp
  access-group inbound in interface outside
  access-group outbound in interface inside
  Most important:
  1. Have I got the access-lists right? Does pix501 support host x.x.x.x (ip of local webserver 192.168.x.x)
  2. Are the access lists the right way around?
  3. Is the access-group setup right?
  4. Is there anything else that needs doing/
  Any help appreciated.
  Note: I am a Cisco newbie and trying to learn,

  Thanks for that information.
  I thought about this some more, after seeing your response, and I was wondering; if I only want to restrict smtp outbound traffic, but allow all other traffic, would the following work, as I dont have to allow each specific port/ip address:
  access-list outbound permit tcp host 192.168.1.3 any eq smtp
  access-list outbound permit tcp host 192.168.1.36 any eq smtp
  access-list outbound deny tcp any any eq smtp
  access-list outbound permit udp any any
  access-list outbound permit tcp any any
  I realise that this would open all sorts of other security risks, but at least trojans/worms will not be able to spam from PCs other than those listed as per the first 2 lines ( which is my major concern at the moment). As I learn more about the traffic on my network I can block more undesirable ports.
  Sorry to be a pain, but this could be useful to other and the more complete the setup, the easier it will be for them.

• Cannot get SMTP to work, Please Help.

  Hello,
  I recently bought the WVC80N camera.
  The main reason i purchased it was to have motion alerts emailed to me.
  I have been trying all different combination for a week and still get TEST EMAIL FAILED.
  Here are my specifics:
  ISP: Verizon FiOS
  I have a D-link N router setup as an access point that connects to my FiOS router/modem.
  The camera connectes to the wireless on the D-Link router.
  I have tried my ISP SMTP settings,
  I have Verizon email through Yahoo! so I also tried those settings.
  I made a GMX account and tried that, all with no luck.
  Can someone please provide me some insight on how to get this working?
  Thank You!
  Solved!
  Go to Solution.

  For the camera to send you do NOT need to open ports, the camera is sending SMTP OUTBOUND, opening ports is for INBOUND traffic.
  So, the issue lies within Verizon and not with Cisco, it's the way you are sending out and that verizon is blocking SMTP outbound unless the FROM address matches the Verizon domain and you are an authorized user with a valid email on there.
  They may also have SMTP port 25 outbound BLOCKED, so you'd have to use an alternate port. Not sure since I don't have verizon.  BUT, there is a solution with something like the TZO OMR service, which is outbound mail relay, allowing your camera to send through the TZO Servers and not Verizon. TZO accepts mail on port 2525 also, which allows you to get around the blocked port 25 from Verizon.
  It's not cisco's fault, be mad at your ISP for locking crap down....not cisco
  http://www.MyHomeServer.com
  Linksys IP camera reviews, Tutorials and How-To's on Web & Mobile Streaming

• Threat detection in ASA 5505

  Hi Everyone,
  i am seeing this log in ASA
  May 23 2014 22:03:40: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average rate is 3 per second, max configured rate is 5; Cumulative total count is 2252
  May 22 2014 20:48:53: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 716
  i checked
  ASA1# sh conn
  28 in use, 567 most used
  ASA1#               sh threat-detection statistics
  Top          Name   Id    Average(eps)    Current(eps) Trigger      Total events
    1-hour ACL  hits:
  01  inside_access_in/37.1               1               0       0              4542
  02  outside_access_in/1               1               0       0              3688
  03  inside_access_in/29.1               0               0       0               656
  04  inside_access_in/37.4               0               0       0               546
  05  inside_access_in/38               0               0       0                36
  06  inside_access_in/29.2               0               0       0                34
  07  sales_access_in/6                0               0       0                15
  08  inside_access_in/27.1               0               0       0                 9
  09  inside_access_in/26.2               0               0       0                 4
  10  inside_access_in/18               0               0       0                 2
    8-hour ACL  hits:
  01  inside_access_in/37.1               0               1       0              6030
  02  outside_access_in/1               0               0       0              4118
  03  inside_access_in/29.1               0               0       0              1230
  04  inside_access_in/37.4               0               0       0               912
  05  inside_access_in/38               0               0       0               113
  06  sales_access_in/6                0               0       0                92
  07  inside_access_in/27.1               0               0       0                57
  08  inside_access_in/29.2               0               0       0                50
  09  inside_access_in/26.2               0               0       0                17
  10  inside_access_in/10               0               0       0                 7
   24-hour ACL  hits:
  01  inside_access_in/37.1               0               1       0              7286
  02  outside_access_in/1               0               0       0              6301
  03  inside_access_in/29.1               0               0       0              1595
  04  inside_access_in/37.4               0               0       0              1152
  05  inside_access_in/38               0               0       0               409
  06  inside_access_in/27.1               0               0       0               296
  07  sales_access_in/6                0               0       0               217
  08  inside_access_in/29.2               0               0       0                63
  09  inside_access_in/26.2               0               0       0                59
  10  inside_access_in/18               0               0       0                18
  ASA1#               sh threat-detection rate
                            Average(eps)    Current(eps) Trigger      Total events
    10-min ACL  drop:                  2               0       0              1517
    1-hour ACL  drop:                  1               1       0              4641
    1-hour SYN attck:                  0               0       0                31
    10-min  Scanning:                  3               0     205              2258
    1-hour  Scanning:                  1               1       7              6841
    10-min Bad  pkts:                  1               0       0               734
    1-hour Bad  pkts:                  0               0       0              2123
    10-min  Firewall:                  3               0       0              2258
    1-hour  Firewall:                  1               1       0              6810
    10-min DoS attck:                  0               0       0                 7
    1-hour DoS attck:                  0               0       0                46
    10-min Interface:                  4               0       0              2537
    1-hour Interface:                  2               2       0              7950
  Need to know why i am getting this message ?
  what should i look for ASA to know if some bad traffic or attack to ASA is going on or not?
  How can i confirm if ASA is working fine despite these log messages?
  Regards
  MAhesh

  Are there any scans being performed on your network? Perhaps a user or network monitoring solution? You can configure the "shun" option so the ASA places a block on the source host(s), but I don't recommend this until you know what's causing the syslog.

• Cisco ASA 5505 host license count?

  Hi,
  I have a ASA 5505 with base 50-user license deployed for a 15 people branch office. But recently ASA started to block internal host since license reached MAX 50.
  I did show local-host on ASA and then manually filtered output in spreadsheet and there are only about 20 individual internal IP addresses.
  According to Cisco,
  In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit when they communicate with the outside (Internet VLAN), including when the inside initiates a connection to the outside as well as when the outside initiates a connection to the inside. Note that even when the outside initiates a connection to the inside, outside hosts are not counted towards the limit; only the inside hosts count. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the outside Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits.
  So individual internal IP address will be counted against license on ASA, right? Then where are the other 30 hosts? The ASA is running 8.2(5).
  Thanks,
  /S

  The 8.0 code only means that is the code that it has been reported in...doesn't necessarily mean that it is not found in the 8.2 code...but since you are not doing hairpinning this bug doesn't relate to your issue anyway.
  Do your users connect their mobile phones and Tabs to the network as well?  How many printers, servers, and any other none user devices connect to the network?
  Please remember to select a correct answer and rate

• CISCO ASA denies certain websites

  hi,
  I have a user with Vista who is unable to access certain websites, for example http://www.hsbc.co.uk. Most others on the network can access the website however it appears another user can't. Both users can access the site from home but not from the office using the same laptops. I am not sure which settings on the CISCO ASA I should change to resolve this issue.
  I wondered if anyone had any ideas?
  thanks
  Gavin

  You may have enabled URL filtering on ASA which will block the websites which you have configured to be blocked by the filter.Check if you have configured URL filtering and if so remove the URLS which you want to be accessed from the filtering configuration.