topic ASA Firewall sending emails to Ironport Internal in Network Security

ASA Firewall sending emails to Ironport Internal

Adam Coombs — Tue, 12 Mar 2019 04:33:31 GMT

Hello I have a question about ASA firewall and Ironport devices.

What I have found lately it that ironport is showing that firewall we have here is sending over 1000 emails in a hour which is causing ironport to stop all email traffic inside and outside. How do I find out what is causing this issue.

IP Addresses

My Reports

Sender IP Address	Hostname	Total Attempted	Stopped by Reputation Filtering	Stopped as Invalid Recipients	Spam Detected	Virus Detected	Stopped by Content Filter	Total Threat	Clean
172.16.x.x	xxx.xxx.xxx	2,753	1,047	530	623	43	0	2,243	510

I have pasted a what i saw today
I know that .local is internal communication

Hello, So you see the IP

Julio Carvajal — Wed, 30 Jul 2014 23:26:35 GMT

Hello,

So you see the IP address of the firewall as the source of the email traffic?

This is a huge amount of emails so I doubt this is because of a feature such as smart-call home that allows your ASA to send traffic as an example.

I would think about NAT taking place and then the packet being shown as your firewall IP address before going to the IronPort box.

My recommendation is do captures on the interface where the Email Clients are and the interface where the IronPort sits.

Does it makes sense?

Regards,

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Well this makes a little

Adam Coombs — Thu, 31 Jul 2014 13:18:44 GMT

Well this makes a little sense to me.

I have a nat (Outside,Inside) 1 source dynamic any interface destination static nat rule in place. reason for this is the default route for my 6513 goes to a different firewall i am decomming.

What should I be looking for in the captures and are you talking about wireshark or capture ironport interface inside match tcp ......

Thank you for the helping me