Allowing traffic SMTP on some IP address ranges

Similar Questions

• How to prevent/allow access admin of some ip addresses.

  Hello

  try to set up the following scenario:

  a user BOB have created in Cisco ACS 4.2

  have several network with the IP addresses of management devices added all different in Cisco ACS 4.2

  in order to allow BOB to access network devices only if the request for access of BOB comes from a single IP 1.1.1.1

  If BOB tries to access the network of all the other IPS devices, the application should be dismissed regardless because BOB has full access to all network devices.

  Is there a way to do this using Cisco ACS 4.2

  Appreciate your comments.

  Kind regards

  I don't know how or if you can do it by using ACS. You MAY be able to use the network access Restriction function, although I've never tried. Reference.

  It would be easy to simply put a list of access on devices vty lines while limiting access to 1.1.1.1. (although it would affect all users).

• Windows Update servers IP address range

  Could someone advise what range of IP addresses is used by windows update, to add the latter in our firewall to allow access to our servers. Thank you

  It can as this discussion related (but not conclusive) since April 2009-online http://answers.microsoft.com/en-us/windows/forum/windows_other-windows_update/ip-adresses-to-get-microsoft-patches/5eab0dfa-039c-4a09-a077-78493fadb2dd

  For security reasons, the IP address for the Windows Update web site is constantly changing, and it is not a fixed address. In addition, there is no official publication of IP addresses. Setting the IP addresses on the firewall for this purpose is normally not recommended. Instead, we suggest allowing all outbound connections on http & https ports or set the DNS addresses as authorized destinations for traffic through the firewall.

  For information on IP used by Windows Update, use the DNS system, as it's the only reliable source of information update. If you are using DNS, make sure that the following destination hosts are specified:

  http://windowsupdate.Microsoft.com

  http://*.windowsupdate. Microsoft.com

  https://*.windowsupdate. Microsoft.com

  http://*. Update.Microsoft.com

  https://*. Update.Microsoft.com

  http://*.windowsupdate.com

  http://download.windowsupdate.com

  http://download.Microsoft.com

  http://*.download.windowsupdate.com

  http://wustat.Windows.com

  http://NtServicePack.Microsoft.com

  http://stats.Microsoft.com

  https://stats.Microsoft.com

  
  Source: https://social.technet.microsoft.com/Forums/windowsserver/en-US/b596aa81-2775-496c-b159-dcfc5c5bf22d/windows-update-ip-addresses-range-and-subnet-mask-for-windows-server-2008 (13-Jan-11)

• Allow Exchange (SMTP) server by ASA 8.2 (5)

  Please help me! Tomorrow, I have to go on a customer site and configure the firewall to allow traffic from the server through it.

  I am CCIE Routing & switching certified.  But did not have enough hands with the ASA.

  Here is the configuration of the firewall running

  QLC-11-FW-1 # sh run
  : Saved
  :
  ASA Version 8.2 (5)
  !
  QLC-11-FW-1 hostname
  activate 42Vosoeb.xpDtu0m encrypted password
  42Vosoeb.xpDtu0m encrypted passwd
  names of
  name 10.10.128.0 comments
  name 10.10.129.0 Guest_Wirless
  name 10.10.0.0 Internal_Networks
  !
  interface Ethernet0/0
  Description ' connection to BB-1-Gi2/5 ".
  nameif outside
  Security 0
  IP 10.10.102.254 255.255.255.0
  !
  interface Ethernet0/1
  Description ' connection to the BB-1-Gi2/3 ".
  nameif inside
  security-level 100
  IP 10.10.101.254 255.255.255.0
  !
  interface Ethernet0/2
  Description ' connection to the BB-1-Gi2/7 "»
  nameif DMZ
  security-level 50
  IP 10.10.103.254 255.255.255.0
  !
  interface Ethernet0/3
  Shutdown
  No nameif
  no level of security
  no ip address
  !
  interface Management0/0
  nameif management
  security-level 100
  IP 192.168.1.1 255.255.255.0
  management only
  !
  passive FTP mode
  object-group network invited
  The object-network 255.255.255.0 comments
  object-network Guest_Wirless 255.255.255.0
  object-group service Guest_services
  the purpose of the echo icmp message service
  response to echo icmp service object
  the purpose of the service tcp eq www
  the eq https tcp service object
  the eq field udp service object
  splitTunnelAcl standard access list allow Internal_Networks 255.255.0.0
  outside_in list extended access permit icmp any one
  ips_traffic of access allowed any ip an extended list
  inside_access_in list extended access allow object-group objects invited to a Guest_services-group
  inside_access_in list extended access deny ip object-group invited all
  inside_access_in list extended access permitted ip Internal_Networks 255.255.0.0 everything
  pager lines 24
  asdm of logging of information
  Outside 1500 MTU
  Within 1500 MTU
  MTU 1500 DMZ
  management of MTU 1500
  IP local pool ra_users 10.10.104.10 - 10.10.104.200 mask 255.255.255.0
  ICMP unreachable rate-limit 1 burst-size 1
  don't allow no asdm history
  ARP timeout 14400
  Access-group outside_in in external interface
  inside_access_in access to the interface inside group
  Route outside 0.0.0.0 0.0.0.0 10.10.102.250 1
  Route inside Internal_Networks 255.255.0.0 10.10.101.10 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  the ssh LOCAL console AAA authentication
  AAA authentication http LOCAL console
  LOCAL AAA authentication serial console
  Enable http server
  http 192.168.1.0 255.255.255.0 management
  http Internal_Networks 255.255.0.0 inside
  http 0.0.0.0 0.0.0.0 outdoors
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set distance esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Dynamic crypto map ra_dynamic 10 set transform-set remote control
  map ra 10-isakmp ipsec crypto dynamic ra_dynamic
  ra outside crypto map interface
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH Internal_Networks 255.255.0.0 inside
  SSH timeout 5
  Console timeout 0
  management of 192.168.1.2 - dhcpd address 192.168.1.254
  enable dhcpd management
  !
  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  WebVPN
  internal GP group policy
  GP group policy attributes
  value of server DNS 212.77.192.60
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list splitTunnelAcl
  username admin privilege 15 encrypted password gXmhyPjHxCEshixG
  ahmed vDClM3sGVs2igaOA encrypted password username
  type tunnel-group GP remote access
  attributes global-tunnel-group GP
  address ra_users pool
  Group Policy - by default-GP
  tunnel-group GP ipsec-attributes
  pre-shared key *.
  !
  class-map ips_traffic_class
  corresponds to the ips_traffic access list
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  Review the ip options
  inspect the icmp
  class ips_traffic_class
  IPS inline help
  !
  global service-policy global_policy
  context of prompt hostname
  no remote anonymous reporting call
  Cryptochecksum:57e5e9b117c38869a93a645f88309571
  : end

  Thank you

  So I don't see any configuration nat here, so I guess it's either a private wan or you have a router upstream do nat?  If no Nat is required on the SAA so it should be as simple as

  outside_in list extended access permit tcp any host mail server eq smtp

• A PIX-to-PIX VPN can allow traffic in only one direction?

  Here is the configuration of the PIX 501 that accepts incoming VPN tunnels of the other PIX dynamic-ip.  Everything works very well, allowing traffic to flow both ways after that the tunnel rises.  But then I somehow limit or prevent the traffic that originates on the PIX (192.168.27.2) to go to other networks of PIX?  In other words, if a tunnel exists (192.168.3.0 to 192.168.27.0), I only want to allow network traffic to access the network 27.0 3.0, and I want to anyone on the network 27.0 access network 3.0.

  Thanks for any comments.

  pixfirewall # sh conf
  : Saved
  : Written by enable_15 at 13:29:50.396 UTC Saturday, July 3, 2010
  6.3 (4) version PIX
  interface ethernet0 car
  interface ethernet1 100full
  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  activate the encrypted password
  encrypted passwd
  pixfirewall hostname
  .com domain name
  fixup protocol dns-maximum length 4096
  fixup protocol ftp 21
  fixup protocol h323 h225 1720
  fixup protocol h323 ras 1718-1719
  fixup protocol http 80
  fixup protocol they 389
  fixup protocol rsh 514
  fixup protocol rtsp 554
  fixup protocol sip 5060
  fixup protocol sip udp 5060
  fixup protocol 2000 skinny
  fixup protocol smtp 25
  fixup protocol sqlnet 1521
  fixup protocol tftp 69
  names of
  access-list 101 permit ip 192.168.27.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 10.10.0.0 255.255.0.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0
  access-list 102 permit ip 192.168.27.0 255.255.255.0 192.168.7.0 255.255.255.0
  pager lines 24
  ICMP deny everything outside
  Outside 1500 MTU
  Within 1500 MTU
  IP address outside xxx.xxx.xxx.248 255.255.255.255
  IP address inside 192.168.27.2 255.255.255.0
  alarm action IP verification of information
  alarm action attack IP audit
  IP local pool ippool 10.10.10.1 - 10.10.10.254
  PDM logging 100 information
  history of PDM activate
  ARP timeout 14400
  NAT (inside) - 0 102 access list
  Route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
  Timeout xlate 0:05:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
  Timeout, uauth 0:05:00 absolute
  GANYMEDE + Protocol Ganymede + AAA-server
  AAA-server GANYMEDE + 3 max-failed-attempts
  AAA-server GANYMEDE + deadtime 10
  RADIUS Protocol RADIUS AAA server
  AAA-server RADIUS 3 max-failed-attempts
  AAA-RADIUS deadtime 10 Server
  AAA-server local LOCAL Protocol
  No snmp server location
  No snmp Server contact
  SNMP-Server Community public
  No trap to activate snmp Server
  enable floodguard
  Permitted connection ipsec sysopt
  Crypto ipsec transform-set esp - esp-md5-hmac gvnset
  Crypto-map dynamic dynmap 10 transform-set gvnset
  gvnmap 10 card crypto ipsec-isakmp dynamic dynmap
  gvnmap interface card crypto outside
  ISAKMP allows outside
  ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
  ISAKMP identity address
  ISAKMP keepalive 60
  ISAKMP nat-traversal 20
  part of pre authentication ISAKMP policy 9
  encryption of ISAKMP policy 9
  ISAKMP policy 9 md5 hash
  9 2 ISAKMP policy group
  ISAKMP policy 9 life 86400
  vpngroup address ippool pool gvnclient
  vpngroup dns 192.168.27.1 Server gvnclient
  vpngroup gvnclient wins server - 192.168.27.1
  vpngroup gvnclient by default-domain '.com'
  vpngroup split tunnel 101 gvnclient
  vpngroup idle 1800 gvnclient-time
  vpngroup password gvnclient *.
  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet timeout 30
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 30
  management-access inside
  Console timeout 0
  Terminal width 80
  Cryptochecksum:
  pixfirewall #.

  Of course, without a doubt capable.

  You can configure the inside interface access list to deny traffic from 192.168.27.0/24 to 192.168.3.0/24, and then allow anything else.

  Example:

  access list for the Interior-acl deny ip 192.168.27.0 255.255.255.0 192.168.3.0 255.255.255.0

  the Interior-acl ip access list allow a whole

  group-access Interior-acl in the interface inside

  Hope that helps.

• rv220 allow traffic on a port magnified

  Hello

  This should be a simple.  I am in my rv220, and the title of port forwarding, I created a rule.  I also created a personalized service for the particular port I want to allow traffic.  The problem is I want traffic to go to any computer on the local network.  What ip address I put as a destination.  I tried to put on a show, but it did not.  192.168.1.255. what I just put in the IP of the router LAN and it will do the rest?

  Please notify.

  Tony

  Hi Tony,.

  Packets transmitted by the WAN port are unicast. Broadcast packets are filtered and not allowed to the local network by default. No option in RV220 to rewrite a unicast packet to disseminate.

  There is only IGMP multicast support on this router, but I guess you do not speak on this subject.

  Normally with only firewall rule, you can allow traffic for a specific service to enter, WAN, LAN, but more NAT will be a problem.

  You can share the service you're trying to broadcast in the local network?

  Kind regards

  Bismuth

• This allows traffic between two interfaces ethernet on a PIX

  I have a PIX with interface inside, IP 10.198.16.1. It also has an interface called WTS, IP 10.12.60.1. I'm having difficulty to allow traffic from the 10.198.16.0 network to cross the PIX in 10.12.60.0. I'm trying specifically to allow access to a server with an IP address of 10.12.60.2.

  I enclose my config. Any help would be greatly appreciated!

  OK, so the inside interface has a security level of 100, WTS has a security level of 75, so traffic from inside to WTS is considered outbound traffic, which is allowed by default. All you need is a pair of nat/global (or static) between both interfaces so that the PIX knows how NAT traffic between two interfaces (remember, the PIX do NAT).

  You have this in your config file:

  NAT (inside) 1 10.0.0.0 255.0.0.0 0 0

  who says all traffic inside, interface with the IP 10.x.x.x address will be NAT would have, but you must then a global for the interface WTS define what those IPS will be NAT would.

  Adding:

  Global (WTS) 1 interface

  will be PAT all inside resolves the IP address of the interface WTS and allow traffic to flow between the interfaces. If you prefer the hosts inside the interface to appear as their own IP address on the WTS network, then you can use a static command and NAT addresses themselves, actually doing NAT, but not actually change addresses:

  static (inside, WTS) 10.198.16.1 10.198.16.1 netmask 255.255.240.0

  Hope that helps.

• Limit some IP addresses to see hardware (SMU)

  Hi all!

  So if you have a SMU controller on a network, and you want to exclude some IP addresses of "get to" the material, how do you?

  Thank you

  You can actually edit the list of IP addresses with access granted to the controller in the LabVIEW project. If you right-click on the target and click Properties, the Machine access options are available on the server of VI.

• It just does not allow me to view some internet site, stating that my internet is not connected

  Original title: internet connections

  my internet connection seems to be okay, so devices. but it just does not allow me to view some internet site, stating that my internet is not connected. What will happen? How do I solve this issue?

  Hello

  1. what operating system do you use?
  2. don't you make changes on the computer until the problem started?
  3. using a wired or wireless?

  Follow the steps in the section below to check which version of the Windows operating system that you are using.
  http://Windows.Microsoft.com/en-us/Windows7/help/which-version-of-the-Windows-operating-system-am-i-running

  If you use a wired connection, then start the computer in Safe Mode with network and check if the connection is working.

  For your reference:
  http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-connect-to-the-Internet

  Kind regards
  Afzal Taher
  Microsoft technical support engineer

• DHCP Server address range

  Hello

  I was wondering if there was a way to change the integrated DHCP server address range of 192.168.1.x for, say, 192.168.0.x?  For example, when you change the IP Address of the router from 192.168.1.1 to 192.168.0.1.  I noticed that when you post such a change, the DHCP range does not update accordingly.  Any ideas?

  Thank you

  Paul

  Your range of DHCP server should update automatically to the 192.168.0.x subnet when you change your "local IP address" in 192.168.0.1.   Be sure to use a computer that is connected to your router when you perform this operation.  In addition, be sure to click 'Save Settings', and then to wait (from 3 to 60 seconds) screen refresh.  You will be probably disconnected from the router when you perform this operation.  Don't worry about this.  Turn on the router and your computer.

  Then, wait 30 seconds, and then restart the router and the computer.  Now, your local IP address and range of DHCP servers should have the same subnet.

• 160N not allowing access to a single ip address please!

  My router does not allow access to a single ip address.  I have a site that I have ftp access to and everything was working fine until today.  I can't access ftp with all the software and the site will not be rendered.  I checked all implement.  I called the hosting company, ISP provider and is not on their end.  I went to another computer somewhere else and everything worked fine.  I hooked in directly to the modem and everything worked as it is supposed to.  All other websites work very well.  It must be the router.   I have reset the router to factory settings and set to update the firmware.  As I said, everything was working just fine and then suddenly everything that is on the IP 1 will not work.  Any help with my situation is appreciated.

  Since you have already reset your router and re-configured all the settings in this topic. When your computer is connected to the Linksys router, on your computer, open the window command prompt and try to ping the IP address that you're trying to make it work with your Linksys router and check if you have all the answers.

  If not then on your configuration page of the router, click on the Security tab and disable the SPI Firewall and uncheck "Filter anonymous Internet requests" and click on save settings...

  Once you are done with these settings, you can now try to ping the IP address and check if you have all the answers...

  NOTE: Turn off the firewall and Antivirus on your computer...

• To change default Internet connection sharing IP address range and subnet mask

  Hello

  When the ICS (ICS) is enabled on a NETWORK adapter that is connected to the direct Internet line, the second NETWORK card automatically gets the 192.168.137.1 IP address and subnet mask 255.255.255.0. As the first IP address in the address range is located on the second NIC in the computer, the other client computers receive the other IPs in the same range, for example 192.168.137.2, 192.168.137.3 and so on.

  In my case, I already have the static IP network using Network 10.0.0.0/8, I want to change default IP of 192.168.137.1/24 to 10.0.0.1/8. I managed to change the IP in Regedit - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAcces - parameters - ScopeAddress / StandaloneDHCPAddress

  that works, but default IP 10.0.0.1 has the subnet mask 255.255.255.0, how to change the subnet mask of 255.0.0.0.

  Help, please...

  Hello

  Thanks for posting your question on the Microsoft Forum.

  I suggest you to ask your question in the TechNet forums.

  https://social.technet.Microsoft.com/forums/Windows/en-us/home?Forum=w7itpronetworking&filter=AllTypes&sort=lastpostdesc

  TechNet is watched by other computing professionals who would be more likely to help you.

  I hope this helps.

  __________________

  Thank you best regards &,.

  Isha Soni

• You are not allowed to add the e-mail address of your account and user already exists

  Hi Experts,

  My SAP CLM (Contract Lifecycle Management) System integrated system of Echosign by SAP itself and we test the functionality.

  Everything works fine and I am able to send documents to the signature of the CLM system and the beneficiaries are able to sign the document and even get all historical information and the status of it.

  But I am facing problems below 2 cases,

  1. for a particular user, whenever the user sends the document to the signature, we get the error:-"you are not allowed to add that e-mail address to your account.

  2. for another user,who already have created account itself, whenever the user sends the document to the signature, we get the error:- 'user already exists: [email protected]"" " ."

  
  

  For question 1, I googled and found the link the specified item was not found. , who seems to have the answer, but unfortunately, this link seems to be outdated.

  

  Any help would be great.
  

  Thank you

  Uday Chassagne

  Hi Uday,

  I sent you a message in response. Please check and provide the requested information.

  -Usman

• Observed IP address ranges

  How to determine the ip address range observed under the section of the NICs vsphere 5.

  Ed

  Sampling packets broadcast received on physical interfaces vmnic.

• MAC address range?

  I have ESXi installed (downloaded on VMware) 3.5.  I created several virtual machines, and each has a MAC address that is generated automatically.  I reinstalled ESXi with the downloaded version of Dell and need to recreate my MAC addresses because the network I'm binding IPs and MACs.  But when I try to manually enter MAC addresses have been given to me by the first installation of VMware (like 00: 0C: 29:dc:83:b2), I get an error telling me manually specified addresses must be in the range 00:50:56!  WTF?  I really need to fix this, because it will be a giant PITA to get my IPs remapped to new Mac.

  I get an error telling me manually specified addresses must be in the range 00:50:56!

  UH that it explains quite clearly.  The mac address range is different on VM Server than on ESX.  They are different products, different ranges.  And no you can not change that.