NAT Address Blacklisted
Posted on 2006-06-26
Looks like my NAT/PAT address has been blacklisted.
I have 10 vlans on my 6513 with a FWSM. Most of these VLANS are desktops. These desktops are PAT'ed to on address on my FWSM.
That address is showing up as blacklisted for SMTP.
One of my theories why is a developer using desktop to mass mail or a virus/worm doing some mass mailing from my desktop community.
We have our Exchange server statically NAT'ed and that address is in the same subnet but has not been blacklisted. This handles all approved email.
I need some direction on how I can find the desktops, if any, that are spewing SMTP to the internet on the PAT address.
I can sniff all outbound traffic on my external VLAN but it is too much traffic and the sniffer file becomes too large to work with in addition I am not sure when the suspect traffic is being sent.
I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing any mass smtp mailing....
Any ideas would be helpful.
I was thinking of trying to only sniff the traffic for SMTP using a VACL and then spanning that VLAN to the sniffer but I can't think of how to do that...or if there is any easier way.