07-30-2014 01:48 PM - edited 03-11-2019 09:33 PM
Hello I have a question about ASA firewall and Ironport devices.
What I have found lately it that ironport is showing that firewall we have here is sending over 1000 emails in a hour which is causing ironport to stop all email traffic inside and outside. How do I find out what is causing this issue.
IP Addresses | My Reports |
Sender IP Address | Hostname | Clean | |||||||
---|---|---|---|---|---|---|---|---|---|
172.16.x.x | xxx.xxx.xxx | 2,753 | 1,047 | 530 | 623 | 43 | 0 | 2,243 | 510 |
I have pasted a what i saw today
I know that .local is internal communication
07-30-2014 04:26 PM
Hello,
So you see the IP address of the firewall as the source of the email traffic?
This is a huge amount of emails so I doubt this is because of a feature such as smart-call home that allows your ASA to send traffic as an example.
I would think about NAT taking place and then the packet being shown as your firewall IP address before going to the IronPort box.
My recommendation is do captures on the interface where the Email Clients are and the interface where the IronPort sits.
Does it makes sense?
Regards,
Jcarvaja
CCIE 42930, 2xCCNP, JNCIS-SEC
For inmediate support http://iNetworks.cr
07-31-2014 06:18 AM
Well this makes a little sense to me.
I have a nat (Outside,Inside) 1 source dynamic any interface destination static nat rule in place. reason for this is the default route for my 6513 goes to a different firewall i am decomming.
What should I be looking for in the captures and are you talking about wireshark or capture ironport interface inside match tcp ......
Thank you for the helping me
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide