Scrambled SMTP/FTP connectections

Answered Question
Mar 31st, 2007
User Badges:

So I noticed today all was not well with my 506. In doing some routine maintenance on our network, I was told external connections to both the SMTP and FTP servers were getting 'scrambled'.


The outside interface of our 506 is connected to our ISP provided ADSL router (we have to use this apparently), and the inside intercace is connected to our network switch.


In doing a little research, I guess this is not uncommon when you have another inline firewall which also randomizes the packet. So Cisco recommends using the 'norandomseq' with the static command but cautions this may create a security hole.


How drastic is this security hole?


Correct Answer by David White about 9 years 12 months ago

The 506 only runs upto version 6.3 of software. In version 6.3, the PIX does note support ESMTP, and therefore forces the mail servers to downgrade to SMTP.


As for the "scrambling" I would guess you are talking about how the PIX "masks" the SMTP banner with astrics (**************220*********).

This is by design. I would suggest you disable the SMTP fixup and see if that solves teh issue for you:


no fixup protocol smtp 25


David.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
vitripat Sat, 03/31/2007 - 20:02
User Badges:
  • Gold, 750 points or more

This is a known issue. If you have two firewalls in line, both randomizing ISN, it may result in scrambling of data. To prevent this, you should disable randomization on one of the firewalls. This should not be an issue as still one of the firewalls would be randomizing the ISN. Please refer to following link:


http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450c7c.html#wp1042664


Having two devices randomizing the ISN is not recommended, having one only would not be an issue.


Hope that helps.



Regards,

Vibhor.

srberg5219 Sat, 03/31/2007 - 20:59
User Badges:

Using: PIX 506 5.2(6)


So to format this using nat, would I use the following:


nat (inside) 1 0 0 0 norandomseq


(Sorry new to PIX)


Do I also have to use it with my static commands in conjunction with nat?

David White Sat, 03/31/2007 - 21:35
User Badges:
  • Cisco Employee,

That's crap and totally false.


You can randomize the ISN as many times as you want and it will NEVER affect the data payload of the traffic. The randomization is doen on a single box (the PIX in this case) and no other device has any idea that randomization was performed.


Think of it like NAT. You can NAT a packet as many times as you want. The receiver has no idea if the source in the IP header has been NATed zero, one, two, three or more times. The same goes with the ISN.


I find it highly suspicious that the randomization is what was causing your issue. However, should you choose to disable randomization, the security risk is low. The threat is that an attacker can guess the sequence number for new connections based on previous connections. However, most newer OSes, do a good job of randomizing their ISN anyway (so the PIX doesn't need to do it).


Sincerely,


David.

srberg5219 Sat, 03/31/2007 - 21:43
User Badges:

I don't know, it's kind of funny. I implement this 506 and all the sudden external users cant authenticate against the Exchange SMTP virtual server and when I telnet to the port externally, the SMTP server welcome message is all scrambled and EHLO, or any other command doesn't work. Yet, they can connect to the POP3 server, authenticate fine against the Domain and can retrieve messages...


I remove the PIX out of the loop, and walla, everything is back to normal.


Back to the drawing board

Correct Answer
David White Sun, 04/01/2007 - 07:28
User Badges:
  • Cisco Employee,

The 506 only runs upto version 6.3 of software. In version 6.3, the PIX does note support ESMTP, and therefore forces the mail servers to downgrade to SMTP.


As for the "scrambling" I would guess you are talking about how the PIX "masks" the SMTP banner with astrics (**************220*********).

This is by design. I would suggest you disable the SMTP fixup and see if that solves teh issue for you:


no fixup protocol smtp 25


David.

srberg5219 Sun, 04/01/2007 - 13:35
User Badges:

David-


You nailed it! All is well after I disabled the fixup on smtp!


My deepest gartitude for your post!


-Shawn

vitripat Sat, 03/31/2007 - 22:24
User Badges:
  • Gold, 750 points or more

Even I thought so. However it seems that Cisco has a misleading documentation which made me thing other wise. I'll have to agree on atleast this point that docuemtation is crap.


http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450c7c.html#wp1042664


"TCP sequence randomization should only be disabled if another in-line firewall is also randomizing sequence numbers and the result is scrambling the data."


However, I dont have any explanation of why removing the PIX makes everything work fine. Can you try disabling randomization though and see if it helps making things work? You can use the keyword "norandomseq" at the end of nat and static statements.


Probably this will give us a better idea if documentation is indeed crap or not.


Regards,

Vibhor.

David White Mon, 04/02/2007 - 05:23
User Badges:
  • Cisco Employee,

Yes, the documentation is crap!


I'll make sure it gets fixed. I filed CSCsi33737 to track it.


David.

Actions

This Discussion