Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
5
Helpful
11
Replies

I'm having random problems sending/receiving email through my ASA 5510

a.grussner
Level 1
Level 1

‎04-11-2007 09:24 AM - edited ‎03-11-2019 02:58 AM

I have an issue sending emails to only a few different sites. Most of my emails are sent/recieved with no problem but a few I see the response below on my ASA when I force a resend from the Queue on my Exchange email server.

4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].

I just noticed it today and it looks like they've been sitting in the message queue for about 2 days. Thanks for any help.

Labels:
0 Helpful
11 Replies 11

abinjola
Cisco Employee
Cisco Employee

‎04-11-2007 09:50 AM

do you have any access-list on inside inside Interface ?

if yes then add a line there

access-l External_access_in line 1 permit tcp any host 207.54.49.42 eq 25

0 Helpful

a.grussner
Level 1
Level 1
In response to abinjola

‎04-11-2007 10:23 AM

This is all I have for my Internal (Inside) interface.

access-list Internal_access_in extended permit icmp any any

access-list Internal_access_in extended permit ip any any

It's random so it's not always the same IP that's getting dropped so I don't think putting in a specific IP like you recommended would work. I've been doing some more testing and it's still very strange. Anything else I can try?

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to a.grussner

‎04-11-2007 10:28 AM

ok in the translations are you using static port redirection for this smtp traffic ? if yes then use the key word interface than using the ip

static (inside,outside) tcp interface 25 25

0 Helpful

a.grussner
Level 1
Level 1
In response to abinjola

‎04-11-2007 11:32 AM

This is what I currently have. Does it look OK? Thanks.

global (External) 1 interface

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list dmz_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (Internal,External) tcp interface smtp 192.168.0.202 smtp netmask 255.255.255.255

static (Internal,External) tcp interface 21093 192.168.0.240 21093 netmask 255.255.255.255

static (Internal,External) tcp interface 21094 192.168.0.240 21094 netmask 255.255.255.255

static (Internal,External) tcp interface 21095 192.168.0.237 21095 netmask 255.255.255.255

static (Internal,External) tcp interface 21096 192.168.0.237 21096 netmask 255.255.255.255

static (Internal,External) tcp interface 21097 192.168.0.242 21097 netmask 255.255.255.255

static (Internal,External) tcp interface 21098 192.168.0.242 21098 netmask 255.255.255.255

static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,External) 209.254.10.14 192.168.2.4 netmask 255.255.255.255

static (DMZ,External) 209.254.10.12 192.168.2.3 netmask 255.255.255.255

static (DMZ,External) 209.254.10.13 192.168.2.2 netmask 255.255.255.255

access-group External_access_in in interface External

access-group Internal_access_in in interface Internal

access-group dmz_in in interface DMZ

route External 0.0.0.0 0.0.0.0 209.254.10.10 1

0 Helpful

ohanusi
Level 1
Level 1
In response to a.grussner

‎04-11-2007 09:22 PM

execute this command

show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

Inspect: netbios, packet 0, drop 0, reset-drop 0

Inspect: rsh, packet 0, drop 0, reset-drop 0

Inspect: rtsp, packet 0, drop 0, reset-drop 0

Inspect: skinny, packet 0, drop 0, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

Inspect: sqlnet, packet 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 0, drop 0, reset-drop 0

Inspect: tftp, packet 0, drop 0, reset-drop 0

Inspect: sip, packet 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, drop 0, reset-drop 0

Class-map: bgptest

Set connection policy: random-sequence-number disable

Set connection advanced-options: bgptest

Retransmission drops: 0 TCP checksum drops : 0

Exceeded MSS drops : 0 SYN with data drops: 0

Out-of-order packets: 0 No buffer drops : 0

Reserved bit cleared: 0 Reserved bit drops : 0

IP TTL modified : 0 Urgent flag cleared: 0

Window varied resets: 0

TCP-options:

Selective ACK cleared: 0 Timestamp cleared : 0

Window scale cleared : 0

Other options cleared: 0

Other options drops: 0

Look out for this line

Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

if the drop count is increasing, remove the inspect esmtp from the policy command

eg

policy-map global_policy

class inspection_default

no inspect esmtp

Thank you hope this help you.

Regards

a.grussner
Level 1
Level 1
In response to ohanusi

‎04-12-2007 07:47 AM

Here's what the line currently looks like:

Inspect: esmtp _default_esmtp_map, packet 1587301, drop 50466, reset-drop 0

I've checked it a few times this morning and it's still the same. Should I still remove it or just wait to see if it increases? If it's removed what problems could I have or what do I loose? Thanks.

0 Helpful

abinjola
Cisco Employee
Cisco Employee
In response to a.grussner

‎04-12-2007 09:28 AM

well you shouldnt see this message because of Inspect ESMTP Drops

4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].

are you facing issues only sending emails to outside world ?

0 Helpful

a.grussner
Level 1
Level 1
In response to abinjola

‎04-13-2007 08:38 AM

Yes it only happens to random emails going outside the firewall. All internal email is working OK with no errors.

0 Helpful

ohanusi
Level 1
Level 1
In response to a.grussner

‎04-16-2007 05:53 AM

Hi,

The estmp inspect you smtp connection and make sure they obey rfc standard.

Most email server break this standard.

Note you can alway add it back .

For the access-list log the source port is 25, that is not email coming in .

0 Helpful

tcscadmin
Level 1
Level 1

‎04-16-2007 08:29 AM

Dear God people. It's not an ACL problem on his end. This is indicative of an established SMTP connection.

4 Apr 11 2007 12:07:38 106023 207.54.49.42 209.254.56.10 Deny tcp src External:207.54.49.42/25 dst Internal:209.254.10.10/8555 by access-group "External_access_in" [0x0, 0x0].

This naturally happens in networking. One side thinks a connection that IS ALREADY ESTABLISHED closes and the other side sends some packet afterwards.

It has NOTHING to do with his problem.

At first glance, I'd say your problem is not PIX related. It's either the way your mail server does business, your reverse DNS is fubar, or their SMTP inspection is blocking you.

0 Helpful

Tshi M
Level 5
Level 5

‎04-19-2007 12:42 PM

I was told that MS Exchange server doesn't work well with "inspect esmtp". Please try removing it and see if that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card