10-10-2008 01:46 PM - edited 03-11-2019 06:56 AM
Since switching ISPs and having to upgrade my PIX 515 from 7.0.2 to 7.2.4 for PPPOE support, I'm having issues receiving e-mails with attachments from a particular domain. All I see in the PIX log is the following message: Teardown TCP connection 1479120 for outside:193.246.239.75/34098 to inside:10.1.255.48/25 duration 0:16:14 bytes 87079 TCP Reset-I. I'm not sure what is causing the reset.
10-10-2008 01:50 PM
tcp reser-i suggest a reset came from your email server.You would need to look into email server to see why it is generating the reset.
Also,you can try disabling the inspect esmtp on asa,if that's enabled.
Do rate if helpful.
Regards,
Sushil
10-10-2008 02:00 PM
I'm going to disable esmtp to see if that will help. We use an IronPort device as our SMTP server. There have been no configuration changes on it that I'm aware of.
10-10-2008 02:12 PM
Disabling esmtp resolved the issue. Was this a new feature of 7.0.4? Should I leave this turned off globally or is there a way to tweak the setting to not check for certain IP addresses or email domains?
10-10-2008 02:53 PM
Here you go :
considering 4.2.2.2 is the ip address of email domain to which you are facing issues sending email :
ASA5510-Single(config)# policy-map global_policy
ASA5510-Single(config-pmap)# class inspection_default
ASA5510-Single(config-pmap-c)# no inspect esmtp
ASA5510-Single(config)# access-l 101 deny ip any host 4.2.2.2
ASA5510-Single(config)# access-l 101 permit ip any any
ASA5510-Single(config)# clas
ASA5510-Single(config)# class-map myesmtp
ASA5510-Single(config-cmap)# mat
ASA5510-Single(config-cmap)# match ac
ASA5510-Single(config-cmap)# match access-list 101
ASA5510-Single(config-cmap)# exit
ASA5510-Single(config)# poli
ASA5510-Single(config)# policy-map glo
ASA5510-Single(config)# policy-map globa
ASA5510-Single(config)# policy-map global_policy
ASA5510-Single(config-pmap)# clas
ASA5510-Single(config-pmap)# class myesmtp
ASA5510-Single(config-pmap-c)# ins
ASA5510-Single(config-pmap-c)# inspect esmtp
ASA5510-Single(config-pmap-c)#
Pretty much you specify an access rule which define what traffic should be inspected by esmtp inspect.If there is a " deny " in access list,that traffic would be bypasses from inspection engine.
Do rate if helpful.
Regards,
Sushil
10-13-2008 06:56 AM
Thanks for the example Sushil. I am having problems receiving e-mails FROM a domain. In your example above you said it was for an issue with sending e-mails TO a domain. Would the commands be the same?
10-13-2008 07:07 AM
Just replace :
access-l 101 deny ip any host 4.2.2.2
with
access-l 101 deny ip host 4.2.2.2 any
4.2.2.2 -> ip of the domain.
Do rate helpful posts.
Regards.
Sushil
10-13-2008 11:48 AM
Not sure if there is something wrong with the configuration commands you sent or I'm doing something wrong. As soon as I enter the inspect esmtp command toward the bottom, all access to the internet seems to be blocked.
10-13-2008 01:03 PM
the suggested commands in no way can block internet traffic.
Is access-l 101 already defined somewhere in your configuration ?
Not sure what is wrong.Can u post " sh run " command output ?
Regards,
Sushil
10-14-2008 05:25 PM
10-27-2008 08:22 AM
Cisco tech support suggested the below changes and that resolved the issue.
access-list esmtp_acl extended deny tcp host 193.246.239.72 any eq 25
access-list esmtp_acl extended deny tcp host 193.246.239.73 any eq 25
access-list esmtp_acl extended deny tcp host 193.246.239.74 any eq 25
access-list esmtp_acl extended deny tcp host 193.246.239.75 any eq 25
access-list esmtp_acl extended permit tcp any any eq 25
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: