Firewall IP ranges address for C160 AS-AV... updates
On our Cisco FW, we have opened tcp 80/443 flow for the sites shown below. We found IP adresses doing DNS Lookup. Unfortunately it seems IPs ares different dependeing the time / date we perform DNS lookup. Result, we didn't open enough, Updates are KO.
What are the IP ranges we should open on our FW?
Any other solution?
Many thanks in advance for the help
80 HTTP Out downloads.ironport.com Service updates, except for AsyncOS upgrades and McAfee definitions.
80 HTTP Out updates.ironport.com AsyncOS upgrades and McAfee Anti-Virus definitions.
443 TCP Out res.cisco.com Cisco Registered Envelope Service
443 TCP Out updates-static.ironport.com Verify the latest files for the update server.
443 TCP Out phonehome.senderbase.org Receive/Send Virus Outbreak
Re: Firewall IP ranges address for C160 AS-AV... updates
KB articles #422, #994, #1020 on Ironport's support site list the required IP addresses/URLs and configuration options.
As per #422 "...downloads.ironport.com will be served via Akamai's servers. Due to the dynamic nature of this service, this means that the actual IP addresses will be changing constantly. The full URL remains: http://downloads.ironport.com/asyncos/upgrade"
If your FW policy does not allow dynamic connections, use the static IPs/hostnames in the articles. I'd add downloads-static.ironport.com/18.104.22.168 and update-manifests.ironport.com/22.214.171.124. to your list.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...