We are configuring an appliance and came across a doubt that we would like to share to see if anyone can help us.
We first configured the appliance by setting up a RELAY policy wich included the networks that were allowed to send mail through our IronPort. Before we applied that configuration, there was no way of sending mail, perhaps there are other more efficient ways but we fail to see another one.
After this path was OK, we then configured the IronPort to use SMTP auth in a forwarding fashion to verify that clients we know are the only ones allowed to send mail. To do this we authenticate against our internal SMTP server, which contains the mailboxes of our users.
This configuration tested OK, without issues at all.
Now that we have this architecture working we would like to allow multiple IPs, not just the ones we defined to use our IronPort to send mail. In our scenario, we provide email services to serveral cilents that have dynamic IP. So we cannot guaranty that a given time, they will be able to send mails through our IronPort if their IP falls out of the range we defined.
So, within HAT policies, is there a way to allow "anyone" or "any IP" to access the IronPort to send mail? The security will be enforced though our SMTP auth policy which only allows authorized personnel to send mail.
Thank you in advanced for your thoughts and comments!!!
Yes, you can do this where the connecting external IP or sender is not known in advance.
You would probably need to LDAP with either SMTP Auth enabled or External Authentication Queries enabled.
So as to not *bog* down your HAT Overview with smtp auth attempts, I think it would be helpful to find a range where the incoming connection would be, then try to assign it to a SMTP Authentication Sender Group and corresponding Mail Flow Policy where the SMTP was turned on.
I can see that this type of scenario would come into play in situations where you have traveling salespeople and you're not always sure what IP they're coming from, but they still need to relay via the IronPort. It's best to collect as much of the information about these external relayers as possible and the LDAP system, then contact Customer Support, presenting the information/facts that you have and how best to configure the IronPort HAT/LDAP/MAIL FLOW Policy section to get that working.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :