Encryption Content Filter: Enc & Deliver Now vs. Enc on Delivery
My understanding is that the difference between "Encrypt & Deliver Now" vs. "Encrypt on Delivery" is that former encrypts and sends the message immediately whereas the latter continues with the message processing and encrypts the message later prior to send.
What are some of the pratical examples for processing that can happen in the message pipeline which may require "Enc on Delivery"? What is the best pratice and the guidance for selecting the right option?
If I misconfigure and set the "Enc & Deliver Now" when some processing is short circuited, would IronPort detect the condition and notify the admin via logging or other methods?
Thanks.
Hello John,
your explanation is correct, a common scenario for both of this cases would be an outbound setup that uses DLP and filters. In this setup, senders could actively flag their messages to be encrypted, i.e. using the secure plugin to add a header, or to put "Encrypt" in the subject. Now we have two possible cases, or requirements:
- All sensitive data must be encrypted
or
- Sensitive data leaving the company reqires further inspection or approval
In the first case, any message flagged for encryption won't need further inspection, and the message may just go directly to the delivery queue. This saves resources that DLP would need to scan the message, which is not really nessesary. Yet still DLP would take care of any sensitve date if the user "forgets" to flag it appropriatiely
The second case would be something where certain content may not leave the company at all, so we still want DLP to check on that, and delete or bounce the message. Also for anything where the message is sent to a quarantine (Filter, DLP), depending on the action on the quarantine, the message will be either delayed, or will be encrypted when released from the quarantine.
Of course, in many cases there may be a combined setup of both kind of filter actions, applied to different policies, where the action is depending on the sender or recipient. Regarding your last question about possible misconfiguration, if I understand you correctly if there is a warning in the logs when a filter action flags a message to bypasssome further processing. There is no such thing by default, so you would add a "Log Entry" to the filter if you want to have the action documented in the logs.
Hope that helps,
Andreas
Similar Messages
-
Encryption Content Filter vs. DLP Encrypt Action
As I go through the IronPort Email Config Guide, I see two places that email encryption is mentioed:
1) Under DLP configuration (chapter 11): as an action for DLP policy violation
2) Under Email Encryption configuration (chapter 12): as a content filter which determines which messages should be encrypted
Are both of these methods using the same encryption engine? Does DLP "encrypt" policy action ends up invoking CRES and send an encrypted message to a recipient which has the same format as the encrypted message generated by encryption content filter (assuming no DLP filter configured)?
Thanks.I ran into this recently and both of them use the same encryption engine. DLP policies will trigger messages to be encrypted; however, policies are processed top to bottom and left to right, so DLP policies will be enforced after Content Filter policies. Additionally, each policy can be set with specific features. In my opionon, Content Filters provide more options to catch interesting traffic via regular expressions, dictionarys, text resources, etc.
-
New ASA5512- 5515: content filter and WAN load balancing
Hi,
it's possible to make the content filter with the new models of asa?
One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
It' s possible also make the load balancing between 2 WAN?
Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
Thanks in advance,
Paolo.I saw that you can add CX feature:
CX - Context Aware Security Feature:
Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.
Application Visibility Control (AVC):
This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.
Web Security Essentials (WSE):
This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".
Can somebody confirm that?
Have somebody already used and configured this features?
Thank you,
Paolo. -
Content Filter - attachment stripping logic not working like I think it should
Hello,
I am working on a content filter for stripping file attachments - my logic is this:
Condition: If File Type does NOT EQUAL file type Documents: attachment-filetype != "Document"
Action: Strip File Attachment by File Info: drop-attachments-by-size(0 bytes)
My thought is that files that are not word docs, "test.ZIP" for example, would match the condition of not being a document. The match specifies that the action should then be performed on it - strip the attachment if it is over 0 bytes, which would be a match to any file.
Right now, it strip anythings, documents included...its like the condition does not exist. I considered using Message Filters at first, but I need to provide a replacement message with each attachment I strip. Thanks in advance for your help!Hey Daniel
Your understanding is correct to a point.
The condition you set is correct, it will look for emails where attachments are NOT document files according to their mime structure.
Once this condition is met (IE: test.zip)
it will fall to the action
Your action however is set to drop all attachments greater than 0 bytes.
So for a setup like this I would suggest.
First content filter:
Attachment filetype is equal to "document"
Action for this content filter : skip remaining content filters
Second content filter:
(Either no condition or Attachment filetype is NOT "document")
Action -> Strip if size greater than 0
The reason why all attachment filetypes are being stripped and even document is the condition simply states what needs to be seen to trigger this action
But this action is not set to exempt document files but to strip them all -
Exchange server 2013 content filter rejecting all incoming messages as spam.
Hello All,
Today out of the blue our Exchange server 2013 install started rejecting any inbound message as spam. It first started with only one user not being able to receive any mail because of this anomaly and
then after 12 or so hours all users were getting their mail rejected.
I currently had the threshold set to 5 on external messages only. Internal is disabled.
I have tried setting the threshold to 8 and 9, and rebooted the server after restarting
all services just to make sure everything reset. Even dished out a IISRESET just in case. Whatever I tried still does not work.
The install is a stand alone server facing the outside world (no edge server) living
in a 2 domain controller environment with a share point farm thrown in (ESXI5.5 environment)
Everything works just fine and dandy if I disable the content filter all together. Not seeing anything in the application logs out of the ordinary. Everything was working great and the same settings I used on this server worked well for a totally different
server that runs just fine.
Any ideas?
fr0stsp1reRunspaceId : 87157b62-a061-436b-8fb9-dab446be3473
Name : ContentFilterConfig
RejectionResponse : Message rejected as spam by Content Filtering.
OutlookEmailPostmarkValidationEnabled : True
BypassedRecipients : {}
QuarantineMailbox :
SCLRejectThreshold : 6
SCLRejectEnabled : False
SCLDeleteThreshold : 9
SCLDeleteEnabled : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled : False
BypassedSenders : {}
BypassedSenderDomains : {}
Enabled : False
ExternalMailEnabled : True
InternalMailEnabled : False
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport Settings,CN=Smith And
Smith,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=XXXXXXXXXXX,DC=com
Identity : ContentFilterConfig
Guid : 8f86e0b6-da37-42d3-b7cd-b9635b7db271
ObjectCategory : XXXXXXXXXXXXXXXXXXX/Configuration/Schema/ms-Exch-Message-Hygiene-Conten
t-Filter-Config
ObjectClass : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
WhenChanged : 5/28/2014 12:15:21 PM
WhenCreated : 5/1/2014 4:17:55 PM
WhenChangedUTC : 5/28/2014 7:15:21 PM
WhenCreatedUTC : 5/1/2014 11:17:55 PM
OrganizationId :
OriginatingServer : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
IsValid : True
ObjectState : Unchanged
This is what it is set at now. Completely disabled. It worked fine for quite some time filtering out spam pretty nicely then one day everyone's mail was being rejected as spam by the content filtering agent. I know of someone else who also had this
issue except their box was running 2008R2 with EX2007. They too disabled the content filter as it was giving them too many problems with mail being rejected.
fr0stsp1re -
Regular Expression in content filter
Hey,
i want to create a content filter with the "body-contains"-condition in combination with a regular expression. To specify it:
I want to check whether a string (disclaimer) is already added to the email. If not, i have to add the footer.
So to say: REGULAR EXPRESSION = does not contain "string"
But how does the regular expression look like?
<rule>
<rule_type>Only_Body_Contains_Rule</rule_type>
<rule_data>REGULAR EXPRESSION (does not contain...)</rule_data>
<rule_extra1>1</rule_extra1>
</rule>
Thxyou MAY be able to use a negative lookahead assertion like:
?!EXPRESSION
this results in:
content_filter: if (only-body-contains("?!disclaimer text", 1) )
OR in message filters you can say:
if ( not body-contains("EXPRESSION",1) )
all that said, you should just have two content filters, 1 to check for the filter and deliver immediately (w/o filter stamp) and another catch-all filter to stamp filters. for example:
disclaimer_skip
disclaimer_skip: if (only-body-contains("disclaimer text", 1)) { deliver(); }
outbound-disclaimer-catchall
outbound-disclaimer-catchall: if (true) { add-footer("my_disclaimer"); }
cheers,
andrew -
Confusing about Message filter and Content filter
I have a message filter do quarantine action:
badbody: if body-dictionary-match("badbody", 1) {
quarantine ("Policy");
deliver();
also I write a content filter 'good' to see what spams are missed by Ironport Antispam:
Conditions (only if all conditions match):
header("X-IronPort-Quarantine") != "^Policy$"
header("X-Spam-flag") != "^(?i)YES$"
Action:
duplicate-quarantine ("good")
deliver()
I think these two rules could not occur both, because the filter badbody had sent the spam to quarantine 'Policy',
there's no possible to dumplicate to qurantine 'good'.
But it happens:
Tue Jun 17 18:52:55 2008 Info: New SMTP ICID 26146919 interface InNet (10.68.2.161) address 61.135.132.136 reverse dns host websmtp.sohu.com verified no
Tue Jun 17 18:52:55 2008 Info: ICID 26146919 ACCEPT SG ICP match .sohu.com SBRS 5.5
Tue Jun 17 18:52:55 2008 Info: Start MID 10698519 ICID 26146919
Tue Jun 17 18:52:55 2008 Info: MID 10698519 ICID 26146919 From: <mia_kma3998>
Tue Jun 17 18:52:55 2008 Info: MID 10698519 ICID 26146919 RID 0 To: <swordhuihui>
Tue Jun 17 18:52:55 2008 Info: MID 10698519 Message-ID '<10849536>'
Tue Jun 17 18:52:55 2008 Info: MID 10698519 Subject '=?GB2312?B?1Pa807z7zsU=?='
Tue Jun 17 18:52:55 2008 Info: MID 10698519 ready 1452582 bytes from <mia_kma3998>
Tue Jun 17 18:52:56 2008 Info: MID 10698519 matched all recipients for per-recipient policy DEFAULT in the inbound table
Tue Jun 17 18:52:56 2008 Info: MID 10698519 was too big (1452582/102400) for scanning by CASE
Tue Jun 17 18:52:56 2008 Info: Start MID 10698528 ICID 0
Tue Jun 17 18:52:56 2008 Info: MID 10698528 was generated based on MID 10698519 by duplicate-quarantine filter 'good'
Tue Jun 17 18:52:56 2008 Info: MID 10698528 ICID 0 From: <mia_kma3998>
Tue Jun 17 18:52:56 2008 Info: MID 10698528 ICID 0 RID 0 To: <swordhuihui>
Tue Jun 17 18:52:56 2008 Info: MID 10698528 ready 1452584 bytes from <mia_kma3998>
Tue Jun 17 18:52:56 2008 Info: MID 10698528 quarantined to "good" (duplicated by content filter:good)
Tue Jun 17 18:52:56 2008 Info: MID 10698519 quarantined to "Policy" (message filter:flg1)
Tue Jun 17 18:52:59 2008 Info: ICID 26146919 close
The log shows the quarantine action of message filter take effect after the content filter action. I'm quite confused.
Any suggestion?The original message was marked to go to the "Policy" system quarantine via the message filter. However, that message continues through the email pipeline. If no other action affects that message(i.e. dropped by Sophos anti-virus), then the system will move the message to the "Policy" quarantine as originally marked.
However, in your case, the message was marked to be sent to the "Policy" system quarantine, and then it matched your content filter and did two things:
1. spawned a copy of the original message and sent this new one to the "good" system quarantine. (see MID 10698528)
2. the original copy was left alone and this one was sent to the "Policy" quarantine. If you had a drop() action, then it would have gotten dropped and you would have been left with the single copy from #1 (see MID 10698519)
What was the intended behavior you were trying to achieve?
Here are some references that may help:
1. Where can I see a diagram of the IronPort email pipeline?
You can find a diagram of the queue sequence if you click on the Help
link in the top right of the web interface - it takes a while for it to
load. Find the section "Understanding the Email Pipeline" and then
under that "Overview: Email Pipeline". -
With all the phishing emails going on, we have been hit at least weekly for the past 2 months, I'd like to create an Incoming Content Filter to quarantine these. From looking at the messages they all seem to have the word "password:" on a line by itself.
I've added a content filter to search for that phrase, send me a copy of the message and then deliver the message. I've done this as a test and to my surprise have found 10-20 valid messages per hour with this string!
What is different about the phishing string and valid string is that for valid email, the word password: is followed by more text.
So, my question is how do I create a content filter where the entire line is any one of these? I'd even settle for one of them.
password:
Password:
password:
Password:
The last two lines have a space after the colon.
I've tried "^[Pp]assword:$" without the quotes but it doesn't work.Are you looking for Case-insensitivity?
Case-insensitivity (?i)
The token (?i) that indicates the rest of the regular expression should be treated in case-insensitive mode. Placing this token at the beginning of a case-sensitive regular expression results in a completely insensitive match.
For example, the regular expression “(?i)viagra” matches Viagra, vIaGrA, and VIAGRA. -
I recently got my two teenagers a Droid Maxx and they love it. My question is if anyone knows why the content filter option doesn't work for it. You would think the content filter would work on all phones. Seems to me that prior to releasing any new phone they should have made sure all features of the Verizon account would work. Does anyone know if they are going to resolve this issue and if so when?? I do think it is irresponsible for the feature to not work considering the number of kids using cell phones now. How can a parent who wants to control content do so if not available. I think this should be a priority with Verizon. Do they value kids safety or not?
Hey there, skyhawk1! Thanks for your purchase of two new Droid Maxx smartphones. I hope your teenagers are loving them! I'm very curious about the crux of your post here. You've expressed interest in Content Filtering, and stated that the service is incompatible with the Droid Maxx. Our records indicate that the model will support filtering. Can you tell me why you feel that it doesn't? Did you attempt to add or request it, only to be denied? Please share the details. Thanks!
For more info on Content Filtering, please review this link: http://vz.to/17xz67N
DionM_VZW
Follow us on Twitter www.twitter.com/vzwsupport -
New content filter = no more ARD !?!?!?!
I manage two sub-netoworks which use the same router and content filter but with a different IP addresses. I used to be able to connect to any machine on either network from the other one, but now I can't. I also have a new content filter, which I think is causing the problem. The machines are listed as sleeping when I know they are not.
Any idea how I can get this to work?
ThanksMake sure that the filter and router passes TCP/UDP ports 3283 and 5900. Most likely it's blocking at least 3283.
Regards. -
Really Slow web surfing through ZBF with IOS Content filter
Edited: attached partial output of "sh policy-map type inspect zone-pair urlfilter"
Hey, all
We have a 1921 router with IOS Content filter subscribsion and it is also configured as ZBF running latest IOS v15.1. End-user keep complaining about slow web surfing. I connected to network and tested myself and found intermittent surfing experience.
For example, access to www.ibm.com or www.cnn.com hangs 7 times of 10 attempts and maybe only loads reasonablly quick in 1-2 time of the 3. This also affects the speed of download from websites.
I have the case openned with Cisco TAC and CCIE checked my configure but nothing caught his eyes...
I decide to post the issue here in case we both missed something:
Current configuration : 18977 bytes
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname abc_1921
boot-start-marker
boot system flash:/c1900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authentication login NONE_LOGIN none
aaa authorization exec default local
aaa session-id common
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
no ipv6 cef
ip source-route
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.111 192.168.1.254
ip dhcp pool DHCPPOOL
import all
network 192.168.1.0 255.255.255.0
domain-name abc.local
dns-server 192.168.10.200 192.168.10.202
netbios-name-server 4.2.2.4
default-router 192.168.1.150
option 202 ip 192.168.1.218
lease 8
ip domain name abc.locol
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip port-map user-port-1 port tcp 5080
ip port-map user-port-2 port tcp 3389
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type urlfpolicy trend cprepdenyregex0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cpaddbnwlocparapermit2
pattern www.alc.ca
pattern www.espn.com
pattern www.bestcarriers.com
pattern www.gulfpacificseafood.com
pattern www.lafermeblackriver.ca
pattern 69.156.240.29
pattern www.tyson.com
pattern www.citybrewery.com
pattern www.canadianbusinessdirectory.ca
pattern www.homedepot.ca
pattern ai.fmcsa.dot.gov
pattern www.mtq.gouv.qc.ca
pattern licenseinfo.oregon.gov
pattern www.summitfoods.com
pattern www.marine-atlantic.ca
pattern www.larway.com
pattern www.rtlmotor.ca
pattern *.abc.com
pattern *.kijiji.ca
pattern *.linkedin.com
pattern *.skype.com
pattern toronto.bluejays.mlb.com
pattern *.gstatic.com
parameter-map type urlf-glob cpaddbnwlocparadeny3
pattern www.facebook.com
pattern www.radiofreecolorado.net
pattern facebook.com
pattern worldofwarcraft.com
pattern identityunknown.net
pattern static.break.com
pattern lyris01.media.com
pattern www.saltofreight.com
pattern reality-check.com
pattern reality-check.ca
parameter-map type ooo global
tcp reassembly timeout 5
tcp reassembly queue length 128
tcp reassembly memory limit 8192
parameter-map type trend-global global-param-map
cache-size maximum-memory 5000
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint TP-self-signed-3538579429
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3538579429
revocation-check none
rsakeypair TP-self-signed-3538579429
!! CERTIFICATE OMITED !!
redundancy
ip ssh version 2
class-map type inspect match-any INCOMING_VPN_TRAFFIC_MAP
match access-group name REMOTE_SITE_SUBNET
class-map type inspect match-all PPTP_GRE_INSPECT_MAP
match access-group name ALLOW_GRE
class-map type inspect match-all INSPECT_SKINNY_MAP
match protocol skinny
class-map type inspect match-all INVALID_SOURCE_MAP
match access-group name INVALID_SOURCE
class-map type inspect match-all ALLOW_PING_MAP
match protocol icmp
class-map type urlfilter match-any cpaddbnwlocclasspermit2
match server-domain urlf-glob cpaddbnwlocparapermit2
class-map type urlfilter match-any cpaddbnwlocclassdeny3
match server-domain urlf-glob cpaddbnwlocparadeny3
class-map type urlfilter trend match-any cpcatdenyclass2
class-map type inspect match-all cpinspectclass1
match protocol http
class-map type inspect match-any CUSTOMIZED_PROTOCOL_216
match protocol citriximaclient
match protocol ica
match protocol http
match protocol https
class-map type inspect match-any INSPECT_SIP_MAP
match protocol sip
class-map type urlfilter trend match-any cptrendclasscatdeny1
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category Cultural-Institutions
match url category Gambling
match url category Games
match url category Illegal-Drugs
match url category Illegal-Questionable
match url category Internet-Radio-and-TV
match url category Joke-Programs
match url category Military
match url category Nudity
match url category Pay-to-surf
match url category Peer-to-Peer
match url category Personals-Dating
match url category Pornography
match url category Proxy-Avoidance
match url category Sex-education
match url category Social-Networking
match url category Spam
match url category Tasteless
match url category Violence-hate-racism
class-map type inspect match-any INSPECT_PROTOCOLS_MAP
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol icmp
class-map type urlfilter trend match-any cptrendclassrepdeny1
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-all CUSTOMIZED_NAT_MAP_1
match access-group name CUSTOMIZED_NAT_1
match protocol user-port-1
class-map type inspect match-all CUSTOMIZED_NAT_MAP_2
match access-group name CUSTOMIZED_NAT_2
match protocol user-port-2
class-map type inspect match-any INSPECT_H323_MAP
match protocol h323
match protocol h323-nxg
match protocol h323-annexe
class-map type inspect match-all INSPECT_H225_MAP
match protocol h225ras
class-map type inspect match-all CUSTOMIZED_216_MAP
match class-map CUSTOMIZED_PROTOCOL_216
match access-group name CUSTOMIZED_NAT_216
policy-map type inspect OUT-IN-INSPECT-POLICY
class type inspect INCOMING_VPN_TRAFFIC_MAP
inspect
class type inspect PPTP_GRE_INSPECT_MAP
pass
class type inspect CUSTOMIZED_NAT_MAP_1
inspect
class type inspect CUSTOMIZED_NAT_MAP_2
inspect
class type inspect CUSTOMIZED_216_MAP
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
description Default abc Policy Filter
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclasspermit2
allow
class type urlfilter cpaddbnwlocclassdeny3
reset
log
class type urlfilter trend cptrendclasscatdeny1
reset
log
class type urlfilter trend cptrendclassrepdeny1
reset
log
policy-map type inspect IN-OUT-INSPECT-POLICY
class type inspect cpinspectclass1
inspect
service-policy urlfilter cppolicymap-1
class type inspect INSPECT_PROTOCOLS_MAP
inspect
class type inspect INVALID_SOURCE_MAP
inspect
class type inspect INSPECT_SIP_MAP
inspect
class type inspect ALLOW_PING_MAP
inspect
class type inspect INSPECT_SKINNY_MAP
inspect
class type inspect INSPECT_H225_MAP
inspect
class type inspect INSPECT_H323_MAP
inspect
class class-default
drop
zone security inside
description INTERNAL_NETWORK
zone security outside
description PUBLIC_NETWORK
zone-pair security INSIDE_2_OUTSIDE source inside destination outside
service-policy type inspect IN-OUT-INSPECT-POLICY
zone-pair security OUTSIDE_2_INSIDE source outside destination inside
service-policy type inspect OUT-IN-INSPECT-POLICY
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 11.22.3.1
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set TunnelToCold esp-3des
crypto map TunnelsToRemoteSites 10 ipsec-isakmp
set peer 11.22.3.1
set transform-set TunnelToCold
match address TUNNEL_TRAFFIC2Cold
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description OUTSIDE_INTERFACE
ip address 1.1.1.186 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex full
speed 1000
crypto map TunnelsToRemoteSites
crypto ipsec df-bit clear
interface GigabitEthernet0/1
description INSIDE_INTERFACE
ip address 192.168.1.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex full
speed 1000
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.1.217 5080 interface GigabitEthernet0/0 5080
ip nat inside source route-map NAT_MAP interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.216 80 1.1.1.187 80 extendable
ip nat inside source static tcp 192.168.1.216 443 1.1.1.187 443 extendable
ip nat inside source static tcp 192.168.1.216 1494 1.1.1.187 1494 extendable
ip nat inside source static tcp 192.168.1.216 2598 1.1.1.187 2598 extendable
ip nat inside source static tcp 192.168.1.213 3389 1.1.1.187 3390 extendable
ip nat inside source static tcp 192.168.1.216 5080 1.1.1.187 5080 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.185
ip access-list standard LINE_ACCESS_CONTROL
permit 192.168.1.0 0.0.0.255
ip access-list extended ALLOW_ESP_AH
permit esp any any
permit ahp any any
ip access-list extended ALLOW_GRE
permit gre any any
ip access-list extended CUSTOMIZED_NAT_1
permit ip any host 192.168.1.217
permit ip any host 192.168.1.216
ip access-list extended CUSTOMIZED_NAT_2
permit ip any host 192.168.1.216
permit ip any host 192.168.1.212
permit ip any host 192.168.1.213
ip access-list extended CUSTOMIZED_NAT_216
permit ip any host 192.168.1.216
ip access-list extended INVALID_SOURCE
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended NAT_RULES
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended REMOTE_SITE_SUBNET
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ABM
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Bridgewater
permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookDispatch
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookETL
permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2ColdbrookTrailershop
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Moncton
permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2MountPearl
permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended TUNNEL_TRAFFIC2Ontoria
permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended WEB_TRAFFIC
permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 10 permit 192.168.1.0 0.0.0.255
route-map NAT_MAP permit 10
match ip address NAT_RULES
snmp-server community 1publicl RO
control-plane
line con 0
logging synchronous
login authentication NONE_LOGIN
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class LINE_ACCESS_CONTROL in
exec-timeout 30 0
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
endHi,
I know this is for a different platform but have a look at this link:
https://supportforums.cisco.com/thread/2089462
Read through it to get some idea of the similarity, but in particular note the last entry almost a year after the original post.
I too am having trouble with http inspection, if I do layers 3 & 4 inspection there is no issue whatsoever, but as soon as I enable layer 7 inspection then I have intermittent browsing issues.
The easy solution here is to leave it at layers 3 & 4, which doesn't give you the flixibility to do cool things like blocking websites, IM, regex expression matching etc... but in my opinion I just don't think these routers can handle it.
It appears to be a hit and miss affair, and going on the last post from the above link, you might be better off in having the unit replaced under warranty.
The alternative is wasting a lot of time and effort and impacting your users to get something up and running that in the end is so flaky that you have no confidence in the solution and you are then in a situation where ALL future issues users are facing MIGHT be because of this layer 7 inspection bug/hardware issue etc?
I would recommend you use the router as a frontline firewall with inbound/outbound acl's (no inspection), and then invest a few $ in getting an ASA dedicated firewall (but that's just me ) -
Cant play DRM encrypted content with flash player 11.3
Hi, Im working as a developer on a video on demand service!
I just updated to flash player 11.3 and now i can't play any DRM encrypted content anymore on windows.
I use SSL to connect to the DRM server, please help!I use Windows Vista.
Flash Player v 11,3,300,257
Does not work on Chrome 19, FireFox 13 or IE.
I tried to play the video http://drmtest2.adobe.com/AccessPlayer/player.html and i get a 3329 DRM error -
Restricting email recipient domain with content filter
Gents,
I am looking to restrict email receipient domain to two with the help of content filter instead of using RAT table.
Please help me out.I understand that you want mail to be rejected for all but 2 Recipient users/domains. You also want to declare the users/domains via a Filter instead of in the RAT. This is not recommended, here is why:
- If you set the RAT to 'All Other Recipients' to 'Accept', other hosts may believe the ESA is an 'Open Relay' and may refuse mail from its IP.
- Bouncing mail after acceptance can cause 'backscatter' emails. This is where a mail server redistributes spam via bounces and it will cause some hosts to reject your mail.
- If done incorrectly, can cause valid mail to bounce.
- If done incorrectly, can make your ESA an Open Relay that can be abused by others.
If you still wish to proceed knowing that the above risks, here are the high-level steps:
1) Set 'All Other Recipients' to 'Accept' in RAT
2) Create a new Incoming Mail Policy
- Add the valid users and/or domains to this new Policy
3) Create new Incoming Content Filter:
- Rule: leave empty
- Action: Bounce
4) Disable all scanning on Default Incoming Mail Policy
5) Apply the new Filter to the Default Incoming Mail Policy
6) Verify that the new Incoming Mail Policy has appropriate scanning enabled
This method works by accepting all mail sent to the ESA, even if it is for a domain you do not control or for an invalid recipient for a domain you do control. When the messages reach the Incoming Mail Policies, valid recipients will match on the new Policy while every other address matches the Default Incoming Mail Policy. Using the Policies in this way is required so that the message is 'splintered' before processing through most scanning features. Now only users/domain that do not match your new Policy will be Bounced by the Content Filter.
Again, I wish to stress that I do _not_ recommend this approach: it is far safer to simply list the valid users or domains directly in the RAT.
- Jackie -
I have a new iPhone 5S. While trying to learn about it, I accidentally recorded a voice memo with no content. I cannot now figure out how to get rid of it. There is a banner across the top of my phone with this memo which I don't want. I have deleted it from iTunes but cannot get it off the phone. Help!
The banner usually indicates that the memo is "Paused." If you go back into voice memos, touch the word "Done" beside the big red pause button, give it a name, then it will show in a list. Touch the memo in the list then touch the trash can icon that should appear.
-
Can I set up a Content Filter that is Time/Date stamp dependent?
My company would like to add an additional disclaimer text during Holidays where the company is closed. It will say something like: "In observance of the 'XYZ' holiday, our offices will be closing at 3:00 PM on Friday, December........ and will reopen at 8:30 AM Monday.......".
I was wondering if there is a way to set up conditions in an Outgoing content filter to only include that text if the email is sent between certain dates.
This would allow me to set up the filters prior to the holidays and not have to manage them manually.
I tried to do it via Exchange Transport rule, but I can't find a time/date dependent condition for the rules in Exchange.
Thanks,
RachelHi Rachel,
there is no way to archive this directly in content filters, an indirect way would be to use a message filter that adds an additional header (i.e. X-mas: true) during a specific period. For that, message filters provide the 'date' rule, i.e
HolidayHeader:
if ((date > '12/20/2012 13:00:00') and
(date < '12/28/2012 12:00:00'))
insert-header('X-mas', 'TRUE');
You'd then create an outbound content filter matching on this header and inserting the specific footer if the header exists. Or, of course, you could have that action in the message filter already, however in that case you need additional conditions to make sure the rule applies on outbound messages only.
Hope that helps,
Andreas
Maybe you are looking for
-
When i try to create PR into PO with Tcode ME59N.... error it is showing Requisition could not be converted I checked in Both Material master and vendor master also i have selected Automatic PO check box.. Pls guide me....
-
No audio call on my 900... can some one help?
I am having issues with my 900, I have no audio when making calls either outgoing or incoming...no speaker phone either. When I use Tango Video calls the audio works fine. Does anybody else have this problem and if so how did you solve it. I have a
-
Hi All, My data provider conatins both customer id and material id, but I no need to show material id in the block. The requirement is I need show the gross marin based on the customer id and material. for this I have written a formula i.e =Sum([Gr
-
Breeze 5 presenter - Import Audio not working in windows 7
Hi All, We are currently using Breeze 5 presenter, the import audio function not working in the windowns 7 machine. But it works fine in the windows XP machine. Any one can help me on this or any suggesstion? Thanks in Advance Sajjad.
-
Removing Role expert from the GRC Pad
Hi Guys we are using three products of GRC ie RAR , SUP and Compliance user provisioning but NOT the Role Expert. Is there any way that I can show only these three tools in the GRC pad and remove the Role expert. At the moment it is grey out but stil