Group Won’t Accept Mail From ‘Outside’

KB ID 0001771

Problem

Exchange has been this way for a long time here’s me explaining this very problem with older versions of Exchange. If you create a ‘Group’, be that a Distribution Group, or a ‘Microsoft 365’ Group, the default setting is to NOT ALLOW mail from anyone outside your organisation. If you attempt to send mail to that group you will see errors like these;

Errors;

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender not authenticated when sending to the group’

550 5.7.193 UnifiedGroupAgent; Delivery failed because the sender isn’t a group member or external senders aren’t permitted to send to this group.

Allow External Senders (On Premises & Hybrid Exchange)

If you have your own on premises Exchange server, this includes those of you that have migrated to Exchange online, but are in Hybrid Mode and are syncing your domain objects into Microsoft/Office 365 (Azure). Then you should change this setting in the on premises Exchange Admin Centre.

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

Note: Remember in hybrid mode this will need to sync to Microsoft online, so apply the ‘cup of coffee rule’ before testing it.

Allow External Senders Office/Microsoft 365 (Exchange Online)

Classic Exchange Admin Center

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

 

New Exchange Admin Center

Microsoft 365 Groups: Recipients > Groups > Microsoft 365 > ‘Double Click’ the group in question > Settings  > Allow external senders to email this group > Save.

Distribution Groups: Recipients > Groups > Distribution List > ‘Double Click’ the group in question > Settings  > Edit Delivery Management.

Allow messages from people inside and outside my organisation > Save changes.

Related Articles, References, Credits, or External Links

NA

Juniper SRX Firewall – Allow Web Management from Outside

KB ID 0000708 

Problem

Assuming you already have web management enabled, and you want to access it from the outside (the untrusted zone).

Solution

1. Log into the web console of the Juniper.

2. Navigate to Security > Zones/Screen > Select the ‘Untrust’ Zone > Edit > Host inbound traffic – Interface > Select the Outside interface > Under Interface services add in ‘http’ > OK.

3. Then to save the change click Action > Commit.

4. Test Externally.

Related Articles, References, Credits, or External Links

NA

 

Enable DNS Lookup on the Cisco PIXASA

KB ID 0000029 

Problem

You need the ASA to be able to resolve external hostname’s.

Note: You need at least version 8.2(2) before you can use a DNS name in an access-list.

Solution

Note: In this example I’m using 122.122.122.199 and 122.122.122.198 (yes, they cannot exist!) as the external DNS addresses, substitute your own.</p?

1. Whilst in enable mode > enter configure terminal mode, then enable DNS Lookups.

[box]

CiscoASA#conf terminal
CiscoASA(config)# dns domain-lookup outside

[/box]

2. Then specify the external DNS Servers (Change IP addresses appropriately).

[box]

CiscoASA(config)# dns server-group DefaultDNS
CiscoASA(config-dns-server-group)# name-server 122.122.122.199
CiscoASA(config-dns-server-group)# name-server 122.122.122.198
CiscoASA(config-dns-server-group)# exit

[/box]

3. Test it by pinging a name/URL.

[box]

CiscoASA(config)# ping www.petenetlive.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 123.123.123.123, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 70/84/110 ms
CiscoASA(config)#

[/box]  

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Throttling (Rate Limiting) Traffic

KB ID 0001001 

Problem

If you have one client that’s taking all your bandwidth, or a server that’s getting a lot of connections from external IP addresses, and that’s causing you performance problems, you can ‘throttle’ traffic from/to that client by ‘policing’ its traffic.

Solution

To demonstrate, I have a 30Mb connection at home, when I run a test on the download connection speed from my desktop PC this is what I get;

So I’m going to throttle traffic to that IP address (10.254.254.90), so that it can only use 1Mb of the connection.

1. Create an ACL for traffic to and from the IP address you want to throttle. (Note: If your firewall is running a version older than 8.3, and you are throttling an IP that has a public IP address, use its public IP address not its private one).

[box]

User Access Verification

Password:*******
Type help or ‘?’ for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)# access-list ACL-THROTTLE extended permit ip host 10.254.254.90 any
PetesASA(config)# access-list ACL-THROTTLE extended permit ip any host 10.254.254.90

   

[/box]

2. Now create a class-map that will match all traffic in that ACL, (so all traffic to and from 10.254.254.90).

[box]

PetesASA(config)# class-map CM-THROTTLE
PetesASA(config-cmap)# match access-list ACL-THROTTLE
PetesASA(config-cmap)# exit

[/box]

3. Then create a policy-map, that takes all traffic identified in your class map, and rate limits the traffic to 1000000 bps (1Mbps) with a ‘burst-rate’ of 2000bps.

[box]

PetesASA(config)# policy-map PM-THROTTLE
PetesASA(config-pmap)# class CM-THROTTLE
PetesASA(config-pmap-c)# police output 1000000 2000
PetesASA(config-pmap-c)# police input 1000000 2000
PetesASA(config-pmap-c)# exit
PetesASA(config-pmap)# exit 

[/box]

4. Now apply that policy-map with a service policy. (Note: Generally you apply the policy to the interface closest to where the traffic is coming from, as this is an internal host, I’m applying it to the inside interface. If you were throttling traffic from outside it would be better to apply the service-policy to the outside interface).

[box]

PetesASA(config)# service-policy PM-THROTTLE interface inside

[/box]

5. Let’s run our test again.

6. Looks good!

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 – Performing NAT for Two (or More) internal IP’s to a Spare Public IP

KB ID 0001057 

Problem

I was in the PIX/ASA area at EE last night, and a poster asked if they could perform NAT on a couple of internal IP addresses to a spare public IP that they had. I had done this for a client some time last year when I performed and upgrade from 8.2. Anyone who has ever done a large upgrade on an ASA to the ‘new’ NAT system, will appreciate this is usually the area where the upgrade has a problem. So at the time ran through all the NAT/PAT rules on their firewall and worked out how to do the same with the new NAT code. That way if the upgrade failed I’d have all the new NAT rules per-written, (time spent on reconnaissance is seldom wasted!) Anyway when this question was asked I could not find the config I’d written so I ran up GNS3 and tested it.

Solution

In the example (above), I’m going to PAT both the internal servers to a public IP address of 123.123.123.124. The firewall already translates all other outgoing traffic to its external IP of 123.123.123.123. Note: I’m just translating two internal IP addresses, but you can translate as many internal hosts to this rule as you like.

1. Create a ‘group’ for your internal IP addresses;

[box]Petes-ASA(config)# object-group network Obj-Source-Addresses
Petes-ASA(config-network-object-group)# network-object host 192.168.1.10
Petes-ASA(config-network-object-group)# network-object host 192.168.1.11 [/box]

2. Create an ‘object’ for the spare public IP address;

[box]Petes-ASA(config-network-object-group)# object network Obj-Public-NAT
Petes-ASA(config-network-object)# host 123.123.123.124[/box]

3. Finally tie the two together with a NAT rule (that PAT’s the internal IP addresses to the spare public IP address). Remember this is a PAT not a NAT, hence the reason I use the ‘dynamic’ keyword below, and I don’t use ‘static’ as I would have done for a one-to-one NAT.

Note: The reason there’s a number ‘1’ in the command, is to put it at the top of the NAT processing order, so this rule will ‘fire’ before the global PAT rule I already have on the firewall.

[box]Petes-ASA(config-network-object)# nat (inside,outside) 1 source dynamic Obj-Source-Addresses Obj-Public-NAT[/box]

4. At this point your internal servers may already have some NAT/PAT information cached on the firewall, before we test it let’s clear that out;

[box]Petes-ASA(config)# clear xlate[/box]

5. Now give it a test, you can check your public IP with the tool at the top of our ‘index page’, press the button that says ‘What’s is my IP‘. Once you are happy everything is working, save the changes on the firewall with a ‘write mem‘ command.

Related Articles, References, Credits, or External Links

NA