ASA Firewall sending emails to Ironport Internal

Adam Coombs · ‎07-30-2014

Hello I have a question about ASA firewall and Ironport devices.

What I have found lately it that ironport is showing that firewall we have here is sending over 1000 emails in a hour which is causing ironport to stop all email traffic inside and outside. How do I find out what is causing this issue.

IP Addresses

My Reports

Sender IP Address	Hostname	Total Attempted	Stopped by Reputation Filtering	Stopped as Invalid Recipients	Spam Detected	Virus Detected	Stopped by Content Filter	Total Threat	Clean
172.16.x.x	xxx.xxx.xxx	2,753	1,047	530	623	43	0	2,243	510

I have pasted a what i saw today
I know that .local is internal communication

Julio Carvajal · ‎07-30-2014

Hello,

So you see the IP address of the firewall as the source of the email traffic?

This is a huge amount of emails so I doubt this is because of a feature such as smart-call home that allows your ASA to send traffic as an example.

I would think about NAT taking place and then the packet being shown as your firewall IP address before going to the IronPort box.

My recommendation is do captures on the interface where the Email Clients are and the interface where the IronPort sits.

Does it makes sense?

Regards,

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Adam Coombs · ‎07-31-2014

Well this makes a little sense to me.

I have a nat (Outside,Inside) 1 source dynamic any interface destination static nat rule in place. reason for this is the default route for my 6513 goes to a different firewall i am decomming.

What should I be looking for in the captures and are you talking about wireshark or capture ironport interface inside match tcp ......

Thank you for the helping me