No outbound smtp traffic via CSC SSM.
Hallo
I have a Problem with my ASA CSC-SSM Module (Version 6.1).
The inspection of http and POP works fine, but i have a problem with the outbound smtp traffic.
If i direct the SMTP Traffic via an Service Policy to my CSC Module no Mail will be send outbound.
If i remove the ACE from my SP smtp works fine again.
The reason why i want to inspect my outbound mailtraffic is that i want to add a disclamer to my outgoing mails.
I read the Admin Guide but there is no example how to Configure outbound SMTP( only inbound SMTP).
Is there something that i have to do?
I hope someone can help me.
Try this config:
access-list csc_out permit tcp host 192.168.200.xxx any eq smtp ---for smtp
access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq 80
access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq pop3
access-list csc_out permit tcp 192.168.2xx.0 255.255.255.0 any eq ftp
class-map csc_outbound_class
match access-list csc_out
policy-map csc_out_policy
class csc_outbound_class
csc fail-close
service-policy csc_out_policy interface inside
Similar Messages
-
External SMTP traffic via Iphone
Hi
I have a leopard server running. Whenever someone outside the trusted network wants to send mail it seems to be blocked. As far as i can tell i have SASL set up and things should work. My Iphone for instance can send mail when i am on the local WiFi but not when connected to the 3G net. I havent really found much info on SASL on a macos-x server and was perhaps thinking someone here might have some info or suggestions.
ThanksHi
I found the answer.. submission port must be open in the firewall, and the submission line in master.cf must be activated.
Now it works. Allthough i'm not quite sure how passwords are used, the file sasl/passwd doesnt seem to be used. But if it works i'm happy. -
Hi,
I must block a HTTPS website using CSC-SSM on a ASA 5520 but it looks like it won't block HTTPS traffic at all so I've been searching around and I found that "Traffic that moves through HTTPS cannot be scanned for viruses and other threats by the CSC-SSM software.".
Anyone has sucessfully blocked HTTPS traffic using CSC-SSM?
Which other blocking methods would you recommend? ASA's URL filtering?
Thanks in advice.
Guilhermehi Guilherme
the idea with https it is a secured http with sslor tls which is the same idea with vpn/IPSEC where the traffic is tunnled and cannot be inspected before get devrypted
which wshould be the same with all vendors
if u can inspect the https and scan it then it is not secure enough !! right :)
good luck
if helpful Rate -
Cisco ASA 5505, Software 8.0(3)
ASA IP: xxx.xxx.xxx.yy4/29
This is part of my ASA config that ensures PAT for incomming SMTP traffic:
access-list acl_inbound_outside extended permit tcp any host xxx.xxx.xxx.yy7 eq smtp
nat-control
global (outside) 1 interface
nat (inside) 0 access-list acl_no_nat_inside
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.xxx.yy7 ftp 172.27.1.1 smtp netmask 255.255.255.255
access-group acl_inbound_outside in interface outside
This ensures SMTP traffic to xxx.xxx.xxx.yy7 reach my SMTP server.
But outgoing SMTP traffic is from xxx.xxx.xxx.yy4 (WAN IP of ASA).
How can I set up that ONLY SMTP traffic from 172.27.1.1 is PATed behind IP xxx.xxx.xxx.yy7 and other traffic from 172.27.1.1 will be NATed to
xxx.xxx.xxx.yy4?Hi,
It seems that there is either a typo or mistake in the configuration above.
You are forwarding "ftp" port to "smtp" port
Shouldnt it be
static (inside,outside) tcp xxx.xxx.xxx.yy7 smtp 172.27.1.1 smtp netmask 255.255.255.255
So in addition to forwarding the "smtp" port you also want all outgoing "smtp" traffic from this single host/server to use the public IP address xxx.xxx.xxx.yy7
Then you can configure this
access-list SMTP-POLICYPAT remark Policy PAT for SMTP traffic
access-list SMTP-POLICYPAT permit tcp host 172.27.1.1 any eq smtp
global (outside) 25 xxx.xxx.xxx.yy7
nat (inside) 25 access-list SMTP-POLICYPAT
Hope this helps
Please do remember to mark the reply as the correct answer if it answered your question.
- Jouni -
Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM
We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM. We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config: Any Help would be appreciated.
show config
: Saved
: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012
ASA Version 8.4(3)
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.5 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
<--- More --->
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
<--- More --->
object network obj-192.168.9.2
host 192.168.9.2
object network obj-192.168.1.65
host 192.168.1.65
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq pop3
port-object eq smtp
object-group network Red-Condor
description Email Filtering
network-object host 66.234.112.69
network-object host 66.234.112.89
object-group service NetLink tcp
<--- More --->
port-object eq 36001
object-group network AECSouth
network-object 192.168.11.0 255.255.255.0
object-group service Email_Filter tcp-udp
port-object eq 389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_0 tcp
group-object Email_Filter
port-object eq pop3
port-object eq smtp
object-group network Exchange-Server
description Exchange Server
network-object host 192.168.1.65
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access extended permit tcp any object obj-192.168.9.2
access-list outside_access extended permit icmp any any
access-list outside_access extended permit tcp any object-group Exchange-Server eq https
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
<--- More --->
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
object network obj-192.168.9.2
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.65
nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
<--- More --->
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
access-group outside_access in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1
route inside 192.168.0.0 255.255.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server isaconn protocol radius
aaa-server isaconn (inside) host 192.168.1.9
timeout 5
key XXXXXXX
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
<--- More --->
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca server
shutdown
<--- More --->
smtp from-address [email protected]
crypto ca certificate chain _SmartCallHome_ServerCA
certificate
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.66.175.36 source outside prefer
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
<--- More --->
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-close
service-policy global_policy global
prompt hostname context
call-home reporting anonymousHello Scott,
So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x
object network obj-192.168.1.65
"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"
The ACL says
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp
access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3
From witch ip addresses are you trying to send traffic to the exchange server?
Please do a packet-tracer and give us the output
packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25
Regards,
Julio
Rate helpful posts!!! -
Hello,
One of our customers has an ASA5510 with CSC SSM-10 security module. The software version of the module is 6.6.1125.0.
Is it possible to do https filtering with this module ? The cutomer is complaining that this is not possible..., They cannot do this.
Please any help or suggestion how to assist them ?
p.s. from Cisco I've read the following:
• HTTPS Filtering
– Able to allow or block HTTPS traffic.
– Supports group-based and user-based HTTPS policies.
– Includes URL blocking/URL exception list support for HTTPS domains.
Thank you and best regards,
IlirThis should help:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html -
Trend Micro updates for CSC SSM
Any word on if or when patch would be available for 6.3.1172 ? My ASA has only 256kb memory, and I believe it would require a memory upgrade for any further software upgrades.
The mail and TMCM agent service is always stopped. Access to CSC-SSM via web browser is not possible, nothing happens, and ASDM is not communicating with CSC. I restarted management access port, without success. Restore to Factory settings is not possible. I get this error message:
Restoring default settings: /opt/trend/isvw/bin/setup.bin: line 2861: /opt/trend/isvw/lib/mail/rules/UserApprovedList.txt: Read-only file system
/opt/trend/isvw/bin/setup.bin: line 2862: /opt/trend/isvw/lib/mail/rules/UserBlockedList.txt: Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/web/intscan.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
cp: unable to remove `/opt/trend/isvw/config/mail/imss.ini': Read-only file system
I try to reimage with 6.2 version, maybe this helps.
If you have a clue tell me!
Thank you -
Redirect outgoing SMTP traffic
I have installed iPlanet Messaging Server 5.2 on single machine and I would like to redirect outgoing SMTP traffic (send via outgoing SMTP server or Messanger Express) trough smarthost. Any ideas, how to do this easiest way?
Regards
MatejMatejM wrote:
I have installed iPlanet Messaging Server 5.2 on single machine and I would like to redirect outgoing SMTP traffic (send via outgoing SMTP server or Messanger Express) trough smarthost. Any ideas, how to do this easiest way?The standard way to achieve this is to add "daemon <smarthost hostname>" to the tcp_local channel in imta.cnf. One you have made that change you will need to run "./imsimta refresh" to recompile the MTA configuration and restart the MTA processes.
Regards,
Shane. -
Client looking to segment traffic via SSID using 2504
I have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
Please assist, Thanks in advance.The controller doesn't 'route' traffic, it will just send it out the VLAN/Port the interface is configured for.
So if you tell interface 'guest' to be linked to port 4, any WLAN that uses guest will be sent out port 4.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
ASA5510-SEC with CSC-SSM and Plus lic
I have setup the ASA5510-SEC with the CSC-SSM and it is working great. What I need is to be able to provide, for the client, reports of how much time particular users spend on the Internet, where they go on the Internet etc. Do I need more product to do this reporting? Would also like to have email reports
Thanks,I would recommend posting in netpro for this. This community doesn't work with the ASA series.
www.cisco.com/go/netpro -
ASA 5520 : IP address for CSC SSM
Hi All,
I have an ASA 5520 with CSC SSM. I have base and plus license and want to activate it. T he IP address and gateway have to be configured on the CSC SSM. I have configured IP addresses for the INSIDE,OUTSIDE,DMZ and MGMT. The outside is a public IP address. Now for the CSC SSM what range should i give?
There is an ISA server on the DMZ where all user IP's get PATed and on ASA this gets NATed on the ASA. Direct access to the internet exists for the servers (bypassing proxy).
My basic doubt is about the IP address and gateway that the CSC SSM should have and is it related ot the management interface ip address?
Thanks and Regards.
SonuHi
put your CSC ip address as outside interface subnet.because CSC needs automatic updates from internet.and you can able to manage CSC from remote itself.
for EX
your outside ip is 10.0.0.1/24,make CSC IP As 10.0.0.2/24,Gateway 10.0.0.1
Hopes this helps
regs
S.Mohana sundaram -
Cisco CSC SSM to Active directory integration issue
Hi,
I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.
There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.
Please suggest solution for this issue. Thank you.
With Regards,
Madhan kumar G.Hi,
Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.
Ø Verify the following
Ø 1. The client machines should be part of the windows domain
Ø
Ø 2. File Sharing should be enabled on the client machine
Ø
Ø 3."Remote Registry" Service should be enabled
Ø
Ø 4. On the windows firewall, select "Windows Management Instrumentation
Ø
Ø (WMI)" as exception program to allow in bound WMI calls.
Ø
Ø Also, make sure the "File and Printer Sharing" is part of the exception list.
Ø
Ø 5. The client is able to ping the Agent and the Domain Controllers. -
Step to prep CSC SSM on ASA Active/Standby mode
Hi all,
I am trying to setup Active/Standby HA mode for my site.
Currently the site was installed with one unit ASA firewall with CSC-SSM module, the second unit is the new unit ready to be setup.
My question:
01. My concern is second unit CSC-SSM, what is the proper procedure or step need to prep it?
Is it need to prep the CSC-SSM before the ASA in HA mode Or it will auto propagate the configuration when both unit in HA mode?
What else need to concern? am i need to setup different IP for the CSC-SSM management interface?
Thanks
NoelHello Yong,
Configuration related to the CSC or SSM modules will never get propagated so you will basically need to configure it manually.
Also it's not like if the Config on both modules is different failover will fail but ofcourse you wanna have the same one
IP addresses for each of the modules will be dedicated ones. Remember that failover will fail if one box has the CSC and the other not.
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
How to identifiy AIP-SSM-10 ot CSC-SSM-10 do I have ?
how to identifiy AIP-SSM-10 ot CSC-SSM-10 do I have on my asa5520 ?
you can find the information in this link
http://www.cisco.com/en/US/products/ps6120/products_installation_guide_chapter09186a00805ad777.html -
i have CSC ssm module in my lab. i forgot its username/password and also the ip address of csc module. when i tried to do reimgine the csc module, setup asks for ip address of csc module. is there is any way to recover password without knowing the ip address of CSC module.
This document describes how to recover a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the Advanced Inspection and Prevention Security Services Module (AIP-SSM) without having to re-image the device.
http://cisco.com/en/US/partner/products/ps6120/products_password_recovery09186a00807f5a59.shtml
Maybe you are looking for
-
How to setup database user for windows NT SSO
Hi, We have a scenario where we have to setup a database user so that SSO can be worked in windows environment. We have oracle 10g installed on UNIX server. Now we want to setup a autosys user which will also be a winows user for eg by the name kumar
-
Moving pics to a firewire drive - how do I tell iphoto where they are
I moved my photo library - like 2500 images - to a firewire drive to preserve space on the system drive. Now when I boot iphoto it shows only an outline of each photo. I want to know how I tell iphoto where my pictures are located, without having to
-
How to block my iphone5?
how to block my iphone5?
-
if I buy a movie or music on iTunes or play google can post on YouTube without giving copyright?
-
Blank lines on black print output
We are seeing blank lines for the black print head. We replaced the cartridge and ran 1,2,3 level print head cleaning with no improvement. Ran diagnostics, but I can't see any differences in that report between the different color cartridges.