Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2863
Views
0
Helpful
3
Replies

Viewing NAT on FMC connection events viewer.

Philip Badhams
Level 1
Level 1

‎08-18-2019 02:04 AM - edited ‎02-21-2020 09:24 AM

Hello. My customer is having an issue where one of their public IPs is being blocked by spamhaus. All of their mail servers have their own static NaT setup and are not being blocked, ,so we are trying to identify what other device(s) are sending SMTP traffic and causing the address to get blocked. This public IP is used by multiple devices across the estate ( their entire RFC1918 ranges). 

 

If I put the public ip as the initiator or responder IP I don't get any results in the connection events viewer, which I would expect. How can I establish the address of the inside hosts if all I have to go on it the public nat ip and destination port(25)?

 

I read another post/ blog about requiring a syslog server but the customer does not have one attached to the FMC yet.

 

The hardware is a FMC1000 managing two HA pairs of 2100 FWs.

 

Thanks

 

 

0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-18-2019 03:54 AM

You can search connection events in FMC where:

1. Initiator IP is not equal any of the authorized mail servers (prepend the authorized addresses with a ! to negate them in the boolean logic of the search string)

2. destination port is 25.

3. protocol is tcp

Say your authorized mail servers internal addresses are 192.168.1.1 and 192.168.1.2. The search would look something like this:

Search for Unauthorized mail serversSearch for Unauthorized mail servers

0 Helpful

Philip Badhams
Level 1
Level 1
In response to Marvin Rhoads

‎08-19-2019 02:04 AM

Thanks
Is there a way to export the data as the customer wants to see the logs for an hour? I can only see screenshots being an option as I cant see a export to csv / xls option.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Philip Badhams

‎08-19-2019 02:30 AM

Once you have the query results called up in the FMC, click on the "Report Designer" link in the top right.

That will allow you to export the results as HTML, PDF or CSV files. You can even email them directly from FMC if you have an SMTP relay server setup. You can even get fancy and add your company logo if you're charging them for creating the report. (kidding).

Report of Custom QueryReport of Custom Query

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card