I'm having random problems sending/receiving email through my ASA 5510

Unanswered Question
Apr 11th, 2007
User Badges:

I have an issue sending emails to only a few different sites. Most of my emails are sent/recieved with no problem but a few I see the response below on my ASA when I force a resend from the Queue on my Exchange email server.

4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].

I just noticed it today and it looks like they've been sitting in the message queue for about 2 days. Thanks for any help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
abinjola Wed, 04/11/2007 - 09:50
User Badges:
  • Cisco Employee,

do you have any access-list on inside inside Interface ?


if yes then add a line there


access-l External_access_in line 1 permit tcp any host 207.54.49.42 eq 25

a.grussner Wed, 04/11/2007 - 10:23
User Badges:

This is all I have for my Internal (Inside) interface.


access-list Internal_access_in extended permit icmp any any

access-list Internal_access_in extended permit ip any any


It's random so it's not always the same IP that's getting dropped so I don't think putting in a specific IP like you recommended would work. I've been doing some more testing and it's still very strange. Anything else I can try?

abinjola Wed, 04/11/2007 - 10:28
User Badges:
  • Cisco Employee,

ok in the translations are you using static port redirection for this smtp traffic ? if yes then use the key word interface than using the ip


static (inside,outside) tcp interface 25 25

a.grussner Wed, 04/11/2007 - 11:32
User Badges:

This is what I currently have. Does it look OK? Thanks.


global (External) 1 interface

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list dmz_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (Internal,External) tcp interface smtp 192.168.0.202 smtp netmask 255.255.255.255

static (Internal,External) tcp interface 21093 192.168.0.240 21093 netmask 255.255.255.255

static (Internal,External) tcp interface 21094 192.168.0.240 21094 netmask 255.255.255.255

static (Internal,External) tcp interface 21095 192.168.0.237 21095 netmask 255.255.255.255

static (Internal,External) tcp interface 21096 192.168.0.237 21096 netmask 255.255.255.255

static (Internal,External) tcp interface 21097 192.168.0.242 21097 netmask 255.255.255.255

static (Internal,External) tcp interface 21098 192.168.0.242 21098 netmask 255.255.255.255

static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,External) 209.254.10.14 192.168.2.4 netmask 255.255.255.255

static (DMZ,External) 209.254.10.12 192.168.2.3 netmask 255.255.255.255

static (DMZ,External) 209.254.10.13 192.168.2.2 netmask 255.255.255.255

access-group External_access_in in interface External

access-group Internal_access_in in interface Internal

access-group dmz_in in interface DMZ

route External 0.0.0.0 0.0.0.0 209.254.10.10 1

execute this command


show service-policy


Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

Inspect: skinny, packet 0, drop 0, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 0, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Class-map: bgptest

Set connection policy: random-sequence-number disable


Set connection advanced-options: bgptest

Retransmission drops: 0 TCP checksum drops : 0

Exceeded MSS drops : 0 SYN with data drops: 0

Out-of-order packets: 0 No buffer drops : 0

Reserved bit cleared: 0 Reserved bit drops : 0

IP TTL modified : 0 Urgent flag cleared: 0

Window varied resets: 0

TCP-options:

Selective ACK cleared: 0 Timestamp cleared : 0

Window scale cleared : 0

Other options cleared: 0

Other options drops: 0


Look out for this line


Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0


if the drop count is increasing, remove the inspect esmtp from the policy command


eg


policy-map global_policy

class inspection_default

no inspect esmtp



Thank you hope this help you.



Regards



a.grussner Thu, 04/12/2007 - 07:47
User Badges:

Here's what the line currently looks like:


Inspect: esmtp _default_esmtp_map, packet 1587301, drop 50466, reset-drop 0


I've checked it a few times this morning and it's still the same. Should I still remove it or just wait to see if it increases? If it's removed what problems could I have or what do I loose? Thanks.

abinjola Thu, 04/12/2007 - 09:28
User Badges:
  • Cisco Employee,

well you shouldnt see this message because of Inspect ESMTP Drops


4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].


are you facing issues only sending emails to outside world ?

a.grussner Fri, 04/13/2007 - 08:38
User Badges:

Yes it only happens to random emails going outside the firewall. All internal email is working OK with no errors.

tcscadmin Mon, 04/16/2007 - 08:29
User Badges:

Dear God people. It's not an ACL problem on his end. This is indicative of an established SMTP connection.


4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].


This naturally happens in networking. One side thinks a connection that IS ALREADY ESTABLISHED closes and the other side sends some packet afterwards.


It has NOTHING to do with his problem.


At first glance, I'd say your problem is not PIX related. It's either the way your mail server does business, your reverse DNS is fubar, or their SMTP inspection is blocking you.

Tshi M Thu, 04/19/2007 - 12:42
User Badges:
  • Silver, 250 points or more

I was told that MS Exchange server doesn't work well with "inspect esmtp". Please try removing it and see if that helps.

Actions

This Discussion