04-11-2007 09:24 AM - edited 03-11-2019 02:58 AM
I have an issue sending emails to only a few different sites. Most of my emails are sent/recieved with no problem but a few I see the response below on my ASA when I force a resend from the Queue on my Exchange email server.
4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].
I just noticed it today and it looks like they've been sitting in the message queue for about 2 days. Thanks for any help.
04-11-2007 09:50 AM
do you have any access-list on inside inside Interface ?
if yes then add a line there
access-l External_access_in line 1 permit tcp any host 207.54.49.42 eq 25
04-11-2007 10:23 AM
This is all I have for my Internal (Inside) interface.
access-list Internal_access_in extended permit icmp any any
access-list Internal_access_in extended permit ip any any
It's random so it's not always the same IP that's getting dropped so I don't think putting in a specific IP like you recommended would work. I've been doing some more testing and it's still very strange. Anything else I can try?
04-11-2007 10:28 AM
ok in the translations are you using static port redirection for this smtp traffic ? if yes then use the key word interface than using the ip
static (inside,outside) tcp interface 25
04-11-2007 11:32 AM
This is what I currently have. Does it look OK? Thanks.
global (External) 1 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list dmz_nat0_outbound
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (Internal,External) tcp interface smtp 192.168.0.202 smtp netmask 255.255.255.255
static (Internal,External) tcp interface 21093 192.168.0.240 21093 netmask 255.255.255.255
static (Internal,External) tcp interface 21094 192.168.0.240 21094 netmask 255.255.255.255
static (Internal,External) tcp interface 21095 192.168.0.237 21095 netmask 255.255.255.255
static (Internal,External) tcp interface 21096 192.168.0.237 21096 netmask 255.255.255.255
static (Internal,External) tcp interface 21097 192.168.0.242 21097 netmask 255.255.255.255
static (Internal,External) tcp interface 21098 192.168.0.242 21098 netmask 255.255.255.255
static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,External) 209.254.10.14 192.168.2.4 netmask 255.255.255.255
static (DMZ,External) 209.254.10.12 192.168.2.3 netmask 255.255.255.255
static (DMZ,External) 209.254.10.13 192.168.2.2 netmask 255.255.255.255
access-group External_access_in in interface External
access-group Internal_access_in in interface Internal
access-group dmz_in in interface DMZ
route External 0.0.0.0 0.0.0.0 209.254.10.10 1
04-11-2007 09:22 PM
execute this command
show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Class-map: bgptest
Set connection policy: random-sequence-number disable
Set connection advanced-options: bgptest
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Out-of-order packets: 0 No buffer drops : 0
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
TCP-options:
Selective ACK cleared: 0 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared: 0
Other options drops: 0
Look out for this line
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
if the drop count is increasing, remove the inspect esmtp from the policy command
eg
policy-map global_policy
class inspection_default
no inspect esmtp
Thank you hope this help you.
Regards
04-12-2007 07:47 AM
Here's what the line currently looks like:
Inspect: esmtp _default_esmtp_map, packet 1587301, drop 50466, reset-drop 0
I've checked it a few times this morning and it's still the same. Should I still remove it or just wait to see if it increases? If it's removed what problems could I have or what do I loose? Thanks.
04-12-2007 09:28 AM
well you shouldnt see this message because of Inspect ESMTP Drops
4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].
are you facing issues only sending emails to outside world ?
04-13-2007 08:38 AM
Yes it only happens to random emails going outside the firewall. All internal email is working OK with no errors.
04-16-2007 05:53 AM
Hi,
The estmp inspect you smtp connection and make sure they obey rfc standard.
Most email server break this standard.
Note you can alway add it back .
For the access-list log the source port is 25, that is not email coming in .
04-16-2007 08:29 AM
Dear God people. It's not an ACL problem on his end. This is indicative of an established SMTP connection.
4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].
This naturally happens in networking. One side thinks a connection that IS ALREADY ESTABLISHED closes and the other side sends some packet afterwards.
It has NOTHING to do with his problem.
At first glance, I'd say your problem is not PIX related. It's either the way your mail server does business, your reverse DNS is fubar, or their SMTP inspection is blocking you.
04-19-2007 12:42 PM
I was told that MS Exchange server doesn't work well with "inspect esmtp". Please try removing it and see if that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide