Hello. My customer is having an issue where one of their public IPs is being blocked by spamhaus. All of their mail servers have their own static NaT setup and are not being blocked, ,so we are trying to identify what other device(s) are sending SMTP traffic and causing the address to get blocked. This public IP is used by multiple devices across the estate ( their entire RFC1918 ranges).
If I put the public ip as the initiator or responder IP I don't get any results in the connection events viewer, which I would expect. How can I establish the address of the inside hosts if all I have to go on it the public nat ip and destination port(25)?
I read another post/ blog about requiring a syslog server but the customer does not have one attached to the FMC yet.
The hardware is a FMC1000 managing two HA pairs of 2100 FWs.
You can search connection events in FMC where:
1. Initiator IP is not equal any of the authorized mail servers (prepend the authorized addresses with a ! to negate them in the boolean logic of the search string)
2. destination port is 25.
3. protocol is tcp
Say your authorized mail servers internal addresses are 192.168.1.1 and 192.168.1.2. The search would look something like this:
Once you have the query results called up in the FMC, click on the "Report Designer" link in the top right.
That will allow you to export the results as HTML, PDF or CSV files. You can even email them directly from FMC if you have an SMTP relay server setup. You can even get fancy and add your company logo if you're charging them for creating the report. (kidding).