Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

SMTP Inspection coming through all XXXXX

I have a fingerprint scanner that emails the record to a central processing facility. The traffic goes out of my workstation, through a Cisco 1800, then through the ASA. The reciever reports that the received traffic is all "XXXXXX". 

I've narrowed it down to smtp inspection per: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113423-asa-esmtp-smtp-inspection.html

I don't have inspection enabled. Do I need to enable it? Please help!

 

Cisco 1800

Current configuration : 3329 bytes
!
version 12.4

!
!
ip ssh version 2
!
!
interface FastEthernet0/0
 ip address x.x.40.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address x.x.37.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 switchport mode trunk
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
 ip address x.x.11.1 255.255.255.0
!
interface Vlan172
 ip address x.x.16.1 255.255.255.0
 ip access-group 100 in
!
ip route 0.0.0.0 0.0.0.0 x.x.40.4
ip route 162.143.0.0 255.255.0.0 x.x.37.4
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 100 deny   ip x.x.16.0 0.0.0.255 x.x.11.0 0.0.0.255
access-list 100 deny   ip x.x.16.0 0.0.0.255 x.x.37.0 0.0.0.255
access-list 100 remark Deny Guest VLAN to private VLANs
access-list 100 deny   ip x.x.16.0 0.0.0.255 162.143.0.0 0.0.255.255
access-list 100 permit ip x.x.16.0 0.0.0.255 any
snmp-server community xxxxxx RO
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
line aux 0
line vty 0 4
 password Wind123!!
 login local
 transport input ssh
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

 

ASA:
 

Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(2) 
!
hostname WPD-INTERNET-FW
!
interface Vlan10
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan20
 nameif inside
 security-level 100
 ip address x.x.40.4 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 10
!
interface Ethernet0/1
 switchport access vlan 20
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 20
!
interface Ethernet0/4
 switchport access vlan 20
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa724-k8bin
no ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxxxxx
same-security-traffic permit inter-interface
access-list SMTP_IN extended permit tcp any eq smtp any 
access-list outbound extended permit tcp host x.x.11.116 any eq smtp 
access-list outbound extended deny tcp any any eq smtp 
access-list outbound extended permit ip any any 
access-list inside_nat0_outbound extended permit ip any x.x.40.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN x.x.40.100-x.x.40.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 x.x.16.0 255.255.255.0
nat (inside) 10 x.x.11.0 255.255.255.0
nat (inside) 10 x.x.40.0 255.255.255.0
route inside x.x.16.0 255.255.255.0 x.x.40.2 1
route inside x.x.11.0 255.255.255.0 x.x.40.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http x.x.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.11.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
  inspect http 
policy-map inspect
!
service-policy global_policy global
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value x.x.11.10
 vpn-tunnel-protocol IPSec 
 default-domain value xxxxx.local
username xxxxx password xxxxx encrypted privilege 15
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
 address-pool VPN
 default-group-policy CiscoVPN
tunnel-group CiscoVPN ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:xxxxxxx
: end

Some info redacted, of course. 

Here is the response on the receiving end:

Protocol SMTP interface CJNET (IP x.x.x.x) on incoming connection from sender IP (x.x.x.x). Revers DNS host None verified no. 

(ICID 7481238) ACCEPT sender group Verified match sbrs(none) SBRS None

(ICID 7481238) Unkown command: XXXXXXXX. 

That last line with XXXXXXX is actual, non redacted text. 

Everyone's tags (1)
4 REPLIES
Community Member

On your ASA try: policy-map

On your ASA try:

 

policy-map global_policy

class inspection_default

inspect SMTP

inspect ESMTP

Community Member

I have this problem as well.

I have this problem as well. 

At the moment, I only discovered this in relation to Windows 8 OS as the SMTP client.

Emulating the SMTP dialog using a telnet session, I've been able to capture the difference between a Linux (where it's working) and a Windows 8 (where it doesn't work).

Under Linux, the complete line typed into telnet is being sent to the server through the ASA in one packet. 

Under Windows 8, 1-2 characters are sent in separate packets through the ASA which have to be reassembled. 

I've the inspection enabled with default parameters. I guess the inspection engine has an issue, if the SMTP command is split over multiple packets.

Community Member

This discussion has been

This discussion has been reposted from Additional Communities to the Email Security community.

Cisco Employee

Just to make sure you are

Just to make sure you are aware. IF you enable "inspect ESMTP" then TLS will not work for the ESA. Inspect ESMTP on ASA does not allow the STARTTLS command without additional configuration therefore any incoming email will never be able to establish a TLS session to the Email Security Appliance. Best practice is to disable inspect SMTP/ESMTP on ASA and let the ESA handle TLS communications.

 

http://www.cisco.com/web/about/security/intelligence/asa_esmtp_starttls.html

 

Note is has changed from earlier versions of ASA where STARTTLS was not supported. Please check your version of ASA code before making any changes.

 

Tom

734
Views
0
Helpful
4
Replies
CreatePlease to create content