I have configured our LDAP and turned on the quarantine access for users. I have tested and it works! Yeah..... well for people on the same subnet as he C300.
The C300 is on a 10.x.x.x subnet and so is everyone at this location but those that are on the wireless or off site cannot connect to the quarantine queue. I set up another Route for the wireless subnet of 172.x.x.x but still not working. I don't want to make too many changes since I am still somewhat of a newbie to Ironport and I don't want to break anything..
It sounds like a routing issue. I have had this happen to me as well, and it turned out to be address spoofing on our firewall. The 10.10.xxx.xx address is our managment address / quarantine, 10.11.xxx.xxx is our incomming / outgoing smtp subnet and the 172.xxx.xxx.xxx was our userbase subnets. The default route was 10.11.xxx.254. What was happening was the packets would come into the device on the 10.10.xxx.xxx address then when returning it would come back via the default route of 10.11.xxx.xxx. This would cause an address spoofing condition on our firewall. I needed to create another address on the 10.11.xxx.xxx subnet for the quarantine so that it would then route out the default route without address spoofing. For the management address's I just created host routes for the Admins who needed access to the GUI of the Ironport. It may not be the cleanest way of doing it, however it has worked for me in this situation. I hope this makes sense and helps someway in getting you a resolution.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...