Asst Req config for pix 515e firewall

Hello

I'm configring as the Pix for the first time & I am little confused with Nat Pat & I want to use pat in my n/w & I Web server I want to leave out.

The one you suggest how can I achieve this configuration & any document on Pix & Nat will be a great help.

Thank you & direct them

Kumar

first thing first, I guess the pat is used for the inside of the host to navigate on the internet:

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

as for inbound access to the Web server, it depends how many public ip address is available. If one only, you can set up port forwarding. whereas there are several public ip address, you can configure 1-to-1 NAT.

for a public ip address,.

public static tcp (indoor, outdoor) 80 80 netmask 255.255.255.255 interface

list of allowed inbound tcp access any interface outside eq 80

Access-group interface incoming outside

for several public ip address,.

static (inside, outside) subnet mask 255.255.255.255

list of allowed inbound tcp access any eq 80

Access-group interface incoming outside

Tags: Cisco Security

Similar Questions

  • password for pix 515e

    I was installing my new 515e firewall usinf the pdm. I did at the time and was able to install the changes I had made. Nowhere during installation me I asked to issue a username and a password. Now when I try to access the pdm, I get a box of connection for usename and password. What can I enter? Y at - it a default admin user and password I can use?

    Username: "blank".

    Password: 'enable current password '.

  • Copy startup-config for pix via TFTP

    Where am I missing it? I know it's possible to copy a config pix down via Tftp using the

    WR net tftpIP: filename

    How can I do the reverse copy, the startup-config for the pix using tftp.

    Easy to do with a router or a switch. I don't see any docs on ORC that specify where to copy the startup-config.

    Hello

    Use the Net Config command

    http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/cmdref/c.htm#wp1055799

    Thank you

    Nadeem

  • Session of top through PIX 515E firewall

    My ISP is stopping the internet service and told that I have a number of great session of 5400 +... The normal session counts should be around 200. Due to this high number, my site may potentially adversely affect my network and their network. They disabled this site in order to prevent any damage.

    MY PIX config is attached, please check.

    Note: the modem from my ISP have IP 216.147.153.113/29

    If you have any questions please contact me via Email or messenger below contacts, I appreciate your help in advance.

    Thank you

    Latitia K. Carlson

    Iraq - Baghdad

    Mobile phone: + 964 7901 762691

    [Yahoo ID: mailto:[email protected] / * /">[email protected] / * / .

    [MSN ID: mailto:[email protected] / * /">[email protected] / * / .

    [Email: mailto:[email protected] / * /">[email protected] / * / .

    Hi Sam,

    seen configs... Why are you opening an entire ip and tcp everything everything inside and outside... first remove these instructions and then see the performance... am sure most useless traffic go through now because of these statements...

    No inside_access_in of the ip access list allow a whole

    No inside_access_in access list do not allow a full tcp

    see if this has solved the problem.otherwise he must refine the remaining access lists... Make sure that all ports are open, after you remove those 2 lines...

    REDA

  • Using PIX 515E configuration require

    Dear all,

    Hi.Actually I need help for PIX 515E.Pls. check out the scenario, design & suggest?

    Pls. find the details following and configuration of VLAN attached router.

    # I want to put as

    «Spend my LAN on CISCO 2900 (range 172.16.29.X IP...» (25 PCs) - VLAN router - CISCO PIX - ISP public IP.

    # Now it's

    "My LAN on CISCO 2900 - VLAN (external) router - ISP.

    Details of router & PIX:

    #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

    Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

    #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

    #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

    Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

    #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

    VLAN router Config:

    Current configuration: 1028 bytes

    !

    version 12.3

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    no password encryption service

    !

    hostname VLANRouter

    !

    boot-start-marker

    boot-end-marker

    !

    activate the gcsroot password

    !

    No aaa new-model

    IP subnet zero

    !

    !

    no record of conflict ip dhcp

    DHCP excluded-address IP 172.16.29.1 172.16.29.240

    DHCP excluded-address IP 172.16.29.250 172.16.29.254

    !

    IP dhcp pool dhcppool

    network 172.16.29.0 255.255.255.0

    DNS-server 208.144.230.1 208.144.230.2

    router by default - 172.16.29.1

    !

    !

    !

    !

    controller E1 0/0

    !

    controller E1 0/1

    !

    !

    interface FastEthernet0/0

    IP 208.144.230.197 255.255.255.224

    NAT outside IP

    automatic duplex

    automatic speed

    !

    interface FastEthernet0/1

    IP 172.16.29.1 255.255.255.0

    IP nat inside

    automatic duplex

    automatic speed

    !

    IP nat inside source list 7 interface FastEthernet0/0 overload

    IP http server

    IP classless

    IP route 0.0.0.0 0.0.0.0 208.144.230.200

    !

    !

    access-list 7 permit 172.16.29.0 0.0.0.255

    !

    Line con 0

    line to 0

    line vty 0 4

    opening of session

    !

    !

    !

    end

    All advice is appreciated.

    Kind regards

    Hiren s Mehta.

    ORG Informatics Ltd.

    Bamako, MALI

    AFRICA

    Hi hiren,.

    See the answers below:

    #Router inside the IP - 172.16.29.1 (inside property intellectual as it is very critical that cannot be changed)

    When you upgrade the PIX router inbetween and your switch, you must put the PIX inside IP like 172.16.29.1 and change the router within the subnet to someother pool. Do the PAT on the PIX, rather than the router.

    Outdoor #Router ip - what ip should I use? (I tried with 1.1.1.1 255.255.255.0)

    Router outside the property intellectual property will be that given by the ISP... The ISP would have given a public IP address for the WAN link. This cannot be changed.

    #PIX outside intellectual property - what ip should I use? (My ISP IP?-j' tried with 208.144.230.197 which is currently outside of my router)

    PIX outside IP must be comprehensive. ISP would have given you a LAN subnet. Use it. In this case, inside the interface of the router has an IP address from that subnet even...

    #PIX within the intellectual property - what ip should I use? (I tried with 1.1.1.2 255.255.255.0)

    PIX inside must be 172.16.29.1, which will be the default gateway for all PCs. If you change this subnet, then the PC should have an IP address on the same subnet that has decided.

    Connection ISP #My is directly from the ISP GW to an ethernet cat 5 on my router VLAN

    didn't get it... is that on the internet router or switch?

    #I would allow www, FTP, web-based like Yahoomail... etc... & Messenger services

    If all these must be permitted from inside to outside, you have not open anything... by default, all traffic to the inside outside is allowed (except if you put a list of access denied)...

  • PIX 515E failover recover

    I have two PIX 515E firewall v7.01 configured in a failover scenario.

    The two units were operating without problem. Primary worked very well and the configuration changes have been transferred to secondary school.

    By TAC support, the only thing needed to test the failover was to issue a command to 'reload' in the primary and the secondary, take on main. Then, "active failover" question on the once rebooted device it was up in the secondary role.

    Failover to the secondary unit worked without problem, it is a smooth transition to the secondary unit.

    The problem came in that the original primary unit is stuck in a loop when you try to reload with what looks like now configuration errors. It will not properly start upward.

    Is not a valid procedure to test the failover?

    It seems that in the real world, this could actually happen that failover should work?

    Among what is shown:

    Config ERROR: invalid journal / level keyword specified; level must be emergencies (0) - debugging (7)

    Config error - acl_in list extended access permit tcp any newspaper SMTP host 208.13.32.36 eq

    Out of config line 359, "access-list acl_in exten...". »

    Config sync error: Suite not command could be executed in standby mode

    Platform

    acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive

    Use BREAK or ESC to interrupt boot.ridge/vlan/modify flash): m

    e inactivea VLAN

    REPLICATION OF CONFIGURATION OF ACTIVE TOWARDS THE RESCUE UNIT IS INCOMPLETE,

    Reading of 115200 bytes of the image of the flash.

    TO AVOID THE EVE OF TAKING OVER AS ACTIVE WITH A PARTIAL CONFIGURATION UNIT, THE EMERGENCY UNIT WILL NOW RESTART *.

    You're not going to like this answer.

    It seems that commands typed in and abstract by cisco in the configuration are not valid when copied/pasted in or when the firewall is rebooted or receives an active firewall configuration.

    I don't know exactly what you did, but here's what I did to reproduce your problem:

    I typed in the command:

    acl_in list access permit tcp any host 208.13.32.36 eq smtp interval 300 inactive information newspaper

    Given that "interval 300 ft newspaper is the default, it is actually saved in the running-config like:"

    acl_in list access permit tcp any host 208.13.32.36 eq smtp log inactive

    It's * not * a command invalid (the word "journal" following address must be a logging level), if you try to kick it. When you restarted the firewall, he tried to shoot the active configuration of the device (because it is now pending), received this line and since he can't run it (because it is not a valid command), it keeps restarting itself so that it cannot take over and be the active firewall.

    Best way to do is to hold this line (and other lines like him) outside the firewall active now - the line is marked "inactive" in any case, this should not affect you. The other way would be to change that line to something by default (the recording level change may be easier). In this way when the primary/secondary itself restarts again, the order received will have a valid log level (or if you take the lines out, they will not be a problem) and will allow the rest of the configuration process.

    You can also report to cisco as a bug, if they are not combing these forums already.

    -Jason

    This rate if this can help.

  • PIX 515E with 7.1 SMTP banner (2) changed to 220 * how to disable the fix?

    We have a PIX 515E firewall and the SMTP banner is changed to 220 *.

    I need to disable this and I can't use the command "no fixup protocol SMTP" as it is not present in 7.1.

    Any suggestions?

    Kind regards

    Keyvan

    This is done under the map class 'class-map inspection_default' in this version of the PIX OS.

    pls rate if useful!

  • PIX 515E config help

    I am a new user and I'm trying to configure a PIX 515e Ver 6.3 (3). How can I give my users inside access to my webfarm located on dmz1. I am able to access the test sites inside and outside dzm1. I can't access the Web inside dmz1 sites. Here is my current config:

    6.3 (3) version PIX

    interface ethernet0 100full

    interface ethernet1 100full

    interface ethernet2 100full

    Automatic stop of interface ethernet3

    Automatic stop of interface ethernet4

    Automatic stop of interface ethernet5

    ethernet0 nameif outside security0

    nameif ethernet1 inside the security100

    nameif ethernet2 dmz1 security50

    nameif ethernet3 intf3 securite6

    nameif ethernet4 intf4 security8

    ethernet5 intf5 security10 nameif

    enable password xxxx

    passwd xxxx

    hostname pix1

    apprendrefacile.com domain name

    fixup protocol dns-length maximum 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol 2000 skinny

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names of

    aetest name 10.10.10.1

    name 10.10.10.2 aetest1

    name 13.13.13.3 aetestdmz

    name 13.13.13.4 aetestdmz1

    access-list from-out-to allow tcp any any eq www

    pager lines 24

    opening of session

    debug logging in buffered memory

    Outside 1500 MTU

    Within 1500 MTU

    dmz1 MTU 1500

    intf3 MTU 1500

    intf4 MTU 1500

    intf5 MTU 1500

    IP address outside the 12.x.x.x.255.255.0

    IP address inside 10.10.10.2 255.255.255.0

    IP address dmz1 13.x.x.x.255.255.0

    No intf3 ip address

    No intf4 ip address

    No intf5 ip address

    alarm action IP verification of information

    alarm action attack IP audit

    no failover

    failover timeout 0:00:00

    failover poll 15

    No IP failover outdoors

    No IP failover inside

    no failover ip address dmz1

    no failover ip address intf3

    no failover ip address intf4

    no failover ip address intf5

    history of PDM activate

    ARP timeout 14400

    public static 12.12.12.15 (inside, outside) aetest netmask 255.255.255.255 0 0

    public static 12.12.12.16 (inside, outside) aetest1 netmask 255.255.255.255 0 0

    (dmz1, external) 12.12.12.17 static aetestdmz netmask 255.255.255.255 0 0

    (dmz1, external) 12.12.12.18 static aetestdmz1 netmask 255.255.255.255 0 0

    Access-group from-out-to external interface

    Route outside 0.0.0.0 0.0.0.0 12.12.12.1 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    GANYMEDE + Protocol Ganymede + AAA-server

    RADIUS Protocol RADIUS AAA server

    AAA-server local LOCAL Protocol

    Enable http server

    http 10.10.10.207 255.255.255.255 inside

    No snmp server location

    No snmp Server contact

    SNMP-Server Community public

    No trap to activate snmp Server

    enable floodguard

    Telnet 10.10.10.0 255.255.255.0 inside

    Telnet timeout 20

    SSH timeout 5

    Console timeout 0

    Terminal width 80

    Cryptochecksum:XXXXX

    : end

    Thank you... Jay

    with pix v6.x, nat/global or static is a must do before the pix will start to transfer packets between two interfaces.

    the current static instructions do not cover the translation between the inside and the dmz. as the traffic between pix inside the net and dmz is private, I suggest you to set up no. - nat between the two.

    for example

    static (inside, dmz1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

    clear xlate

    in the above example, pix inside the host must be able to access the dmz Server pointing to the private ip address of dmz Web server.

    If you prefer the pix inside the host to access the dmz by name server, then "alias" command should be applied.

    for example

    alias (inside) 13.13.13.3 12.12.12.17 255.255.255.255

    the need for the command "alias" is due to the fact that when pix inside the host tries to access the server dmz by name, the public dns will point to the public IP address of the dmz Web server. now, as the static electricity created for the dmz Web server is directional i.e. public ip will be accessible from the outside, not the pix inside the net. so the 'alias' command will allow the PIX to manipulate the dns response and point the name to the private ip of Web server dmz for the pix inside the host.

  • PIX 515E for VPN remote site

    Hello

    7.0 (1) version pix

    ASDM version 5.0 (1)

    I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site

    who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success

    The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.

    where can I see the vpn pix for error log?

    is there a manual for the solution of site to site VPN using the wizard

    Help, please.

    Thanks in advance

    http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml#ASDM

    the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm

    Newspaper to go to the section "check".

  • What version of PDM for PIX 6.3 (4) on a 515E?

    I loaded the last PDM bin 4.1 (1) for PIX os ver 6.3 (4) but I get an error message when I try to access the new PDM:

    "Cisco PDM 4.0 for FWSM does not work on PIX. Please install Cisco PDM 3.0 on your PIX"

    Hmmm a Pix Device Manager which does not work on PIX? The links were wrong on the cisco.com page that pointed me to this location?

    http://www.Cisco.com/cgi-bin/tablebuild.pl/PIX

    Are these compatible versions?

    Here's my version:

    Cisco PIX Firewall Version 6.3 (4)

    Cisco PIX Device Manager Version 4.1 (1)

    Yes, this message is absolutely right, version 4.x PDM is just for the firewall Switch Module and is not supported by the device of PIX. FWSM supports Transparent firewall features that the PIX does not now support.

    Version 3.0.2 PDM.

    There will be a new PDM with the PIX OS 7.0 version in the first quarter of 2005.

    sincerely

    Patrick

  • PIX 515E v7 VPN config help

    Hello

    I have a PIX 515E current of execution to 7.

    Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

    I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

    I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

    Is there a way to fix this?

    Any help appreciated gratefully.

    apply the commands below:

    ISAKMP identity address

    ISAKMP nat-traversal 20

    If the problem persists, then please post the entire config with ip hidden public.

  • VPN - Pix 515e for Cisco router

    I have the following Setup and I can't seem to get the next tunnel. My end is a PIX 515e race 7.2 (4). The other end is a Cisco router-not sure of the model or version of the IOS.

    PIX:

    90 extended access-list allow ip host a.a.a.a host b.b.b.b

    NAT (inside) - 0-90 access list

    correspondence address card crypto mymap 20 90
    card crypto mymap 20 peers set x.x.x.x
    map mymap 20 set transformation-strong crypto
    mymap outside crypto map interface
    ISAKMP crypto identity hostname
    crypto ISAKMP allow outside
    crypto ISAKMP policy 8
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group ipsec-attributes x.x.x.x
    pre-shared key 12345

    Router:

    / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} / * Définitions de style * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

    SDM_5 extended IP access list

    permit ip host b.b.b.b host a.a.a.a

    ISAKMP crypto key 12345 address y.y.y.y no.-xauth

    map SDM_CMAP_1 5 ipsec-isakmp crypto

    Description vpn for laboratory

    defined peer y.y.y.y

    game of transformation-ESP-3DES-SHA

    match address SDM_5

    I'm running him debugs following:

    Debug crypto ipsec enabled at level 1
    ISAKMP crypto debugging enabled at level 1

    I get the following debug output:

    August 16-04:16:10 [IKEv1]: IP = x.x.x.x, counterpart of drop table counterpart, didn't match!
    August 16-04:16:10 [IKEv1]: IP = x.x.x.x, error: cannot delete PeerTblEntry

    Isa HS her

    IKE Peer: x.x.x.x
    Type: user role: initiator
    Generate a new key: no State: MM_WAIT_MSG2

    Any ideas?

    Thank you

    Dave

    If you see the MM_WAIT_MSG2, which means that her counterpart (the other side) does not answer and this side where you can see the status MM_WAIT_MSG2 sent the first message IKE, however, did not hear of the peer.

    You can check if UDP/500 is stuck on the way between the 2 sites.

    Try running traffic on the other side and see if you also get the same status of MM_WAIT_MSG2. If you do, that confirms 100% 500/UDP is blocked on the way between the 2 sites.

  • Question of PIX 515E

    Hi all

    We just bought a PIX 515E and try to use it, but got a number of questions. Here's the NVA of show:

    PIX-151st #show version

    Cisco PIX Firewall Version 6.3 (1)

    Cisco PIX Device Manager Version 3.0 (1)

    Updated Thursday 19 March 03 11:49 by Manu

    PIX-515E up to 5 hours and 15 minutes

    Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

    Flash E28F128J3 @ 0 x 300, 16 MB

    BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

    0: ethernet0: the address is 000f.2457.4b12, irq 10

    1: ethernet1: the address is 000f.2457.4b13, irq 11

    Features licensed:

    Failover: enabled

    VPN - A: enabled

    VPN-3DES-AES: enabled

    Maximum Interfaces: 6

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Flow: IKE peers unlimited: unlimited

    This PIX has a failover license only (FO).

    Problem is that we cannot ping inner harbor, if we do not switch light, but this is a unique machine. Here's another message once we turn on the switch:

    PIX-515E # config t

    WARNING *.

    Configuration of replication is NOT performed the unit from standby to Active unit.

    Configurations are no longer synchronized.

    PIX-515e (config) #.

    Please help solve this problem. I wonder if we buy the wrong license? Thank you very much.

    you have in your possession a PIX failover. That's why says in the "sh run".

    This device is intended to be used only as a failover for a live device. It will work as a live PIX, but behave badly. It is cheaper than a PIX with an unrestricted license, as it is not intended to be used as a standalone device. Check with the one that you bought to get the situation sorted.

    Good luck

    Steve

  • Cisco VPN Client behind PIX 515E,-> VPN concentrator

    I'm trying to configure a client as follows:

    The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

    Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

    You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

  • PIX 515E and remote access VPN

    I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

    I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

    Any help is appreciated,

    Hello

    Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

    Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

    There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

Maybe you are looking for