Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
3
Replies

Global IP Senders in Private Listener Port

orkhan.rustamli.96
Level 1
Level 1

‎11-28-2018 05:49 AM

Hello everyone. I changed my job couple of days ago and getting familiar with system here. I do not have to much experience with email security appliances. What I saw in current ESA deployment that previous workers here added sender with Global IP address in Private Listener port that is using internal subnet. Is that a normal thing? I can be sure whether they misconfigured this or did it mindly. There is proper documentations showing all data flows so I am confused a bit whether I can download this or not. What I know from my experience that in private listener port HAT only contains internal mail server or other sub company mail servers. However adding Public IP address into HAT of private interface seems a bit weird to me.

 

Thanks in advance!

Labels:
0 Helpful
3 Replies 3

dmccabej
Cisco Employee
Cisco Employee

‎11-28-2018 06:24 AM

Hello,

 

Can you provide some clarification? Screenshots maybe? Are you seeing the public IP being tied to the interface/listener itself? Or do you mean there are some public IP addresses listed in the HAT?

 

Thanks!

-Dennis M.

0 Helpful

orkhan.rustamli.96
Level 1
Level 1
In response to dmccabej

‎11-28-2018 09:02 PM

Well, the ESA is implemented with 3 interfaces: 1 for MNG and other 2 for DATA. Data1 is facing internal side for out internal exchange server and second one i in DMZ subnet of ASA. ASA is forwarding all Coming SMTP messages from outbound to DMZ interface of ESA. Internal interface is Private listener and DMZ is Public. With public listener`s HAT everything is okay. Regular things like whitelist, reputation based list and etc.. However in private listener`s HAT i see Public ip addresses which seems a bit weird to me. I have uploaded ss as you asked. As you see the previous worker didn`t even put some appropriate comments so that i would understand why that is done. 

Preview file
383 KB
0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to orkhan.rustamli.96

‎11-29-2018 07:37 AM

Hello,

 

Thanks for the clarification. It's possible that those public IP addresses being tied to the RELAYLIST on the Internal/Private listener is an old configuration. Assuming you're only port forwarding incoming external traffic to the DMZ/Public listener, there should be no need for any public IP addresses to be tied to the Internal/Private listener. Assuming local networks, these should be the internal IP addresses of your Exchange/SMTP servers that will be relaying mail outbound.

 

To confirm, what you can do is grep through the mail_logs, as well as perhaps looking message tracking data to make sure these IP addresses are 100% no longer hitting this interface/listener. 

 

Thanks!

-Dennis M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents