Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RECEIVING SPAM AFTER MIGRATED TO ASA

Hi all,

I am facing a problem. Recentely we migrated a firewall to the ASA 5510. After of implementations we are receiving spam a lot. The curios is that if we make a roll back to previous firewall, the spam stops of received.

We have a mail scanner on dmz and the mail server is placed in inside network.

Someone know what can I do to fix this?

ASA Version 8.0(4)

access-list outside_in extended permit tcp any host x.x.x.x eq www

access-list outside_in extended permit tcp any host x.x.x.x eq www

access-list outside_in extended permit object-group xvxvx any host x.x.x.x eq domain

access-list outside_in extended permit udp any host x.x.x.x eq domain inactive

access-list outside_in extended permit tcp any host x.x.x.x eq ftp

access-list outside_in extended permit tcp any host x.x.x.x eq www

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp any interface outside eq smtp

nat-control

global (outside) 1 interface

nat (dmz) 0 access-list dmz_nat0_outbound outside

nat (dmz) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface smtp Mail_Scanner smtp netmask 255.255.255.255

static (inside,outside) udp interface domain DNS_SERVER domain netmask 255.255.255.255

static (inside,outside) tcp interface lotusnotes Notes_Server lotusnotes netmask 255.255.255.255

static (inside,outside) tcp interface www WEBServer www netmask 255.255.255.255

static (inside,outside) udp interface 3050 FTP_Server 3050 netmask 255.255.255.255

static (inside,outside) tcp interface 3050 FTP_Server 3050 netmask 255.255.255.255

static (inside,outsidE) tcp interface ftp FTP_Server ftp netmask 255.255.255.255

static (inside,outside) tcp x.x.x.X www XXX 1700 netmask 255.255.255.255

static (inside,outside) tcp interface 3200 XXXX 3200 netmask 255.255.255.255

static (inside,outside) tcp interface 3300 XXXX 3300 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 XXXX 3389 netmask 255.255.255.255

access-group outside_incomining in interface outside

access-group dmz_access_in in interface dmz

access-group inside_access_in in interface inside

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect dns migrated_dns_map_1

1 REPLY

Re: RECEIVING SPAM AFTER MIGRATED TO ASA

It could be that in your configureation you are allowing outside SMTP connections to the outside interface IP address of the ASA.

You have globally NATT'd the inside SMTP and the DMZ mail scanner to the SAME outside IP address.

When an outside mail server tries to deliver an email on SMTP - IF the inside mail server already has an outbound connection to the internet, the ASA will forward the connection onto the inside email server and not the DMZ mail scanner.

HTH>

113
Views
0
Helpful
1
Replies