Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
3
Replies

ASA Mail Blocking? Issue

jafaruddinlie
Level 1
Level 1

‎09-16-2010 03:14 AM - edited ‎03-06-2019 01:00 PM

Hi guys Not sure where this falls under.

Here's the scenario:  We have a mail server that needs to send out bulk emails to internal and external addresses. Sometimes, the mail server would need to send a lot of emails in one burst, so to speak, and I think ASA is blocking it.

The mail server is located in the DMZ switch which then plugs into one of the interface in ASA.

The destination mail server is located in our internal network which plugs into a CISCO switch then to Watchguard, then to our internal switch. 

Symptom:  On the mail server, mails going to our internal mail server (and out to the internet, but it is more noticeable on emails going in) got stuck in the postfix mail queue with the message "timed out while sending end of data -- message may be sent more than once". Those mails will be stuck in the queue for eternity, whilst other mails would get happily sent out. Here's the kicker: relaying the problematic emails through another mail server instead of directly to the internal mail server on the DMZ (then from that server to our internal server) works just fine.

I have done a lot of troubleshooting, and this is what I found:

Running wireshark on the spam port of the DMZ and the switch between ASA and Watchguard, the initial communication (syn-synack-ack, then ehlo, mailfrom, rcpt to:, data) went well.

Because of the size of the email, the mail was broken up into 2 parts. The first DATA part was sent, and acknowledged. The second part of the email, which includes the QUIT command was sent (I can see the packets on the wire using wireshark) but never made it through ASA (didn't see the packets on the switch between ASA and Watchguard).

One more thing, we also have ASA sent stuff to our CISCO MARS (which is in our internal network, not acting as IPS) log, and we got this on the the MARS box: "Client Exploit - Mass Emailing Worm". I figured that somehow either the amount of connections, bandwidth, or something, causes ASA to block those particular packets. Any help on how to turn on logging so I can at least start troubleshooting this?

*EDIT for formatting

Labels:
0 Helpful
3 Replies 3

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-16-2010 05:46 AM

Hello,

Do you have any AIP-SSM module installed on the ASA? Have you turned on ESMTP inspection on the ASA? Can you bypass this specific traffic from the inspection Engine and see if that helps? Please post the output of "show run policy-map" and "show run service-policy" commands here so we can suggest configuation changes.

Regards,

NT

0 Helpful

jafaruddinlie
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-16-2010 04:15 PM

HI Nagaraja (does it mean king of the dragons? ;))

Thank you for your reply.

Here's my response:

AIP-SSM Module: yes, we do have that module. It is set as inspect but blocking isn't turned on

ESMTP Inspection: the first thing I did to troubleshoot this was to run "no fixup protocol smtp 25" on the ASA. So I would say that the inspection isn't running.

RE: bypass this specific traffic from the inspection Engine, do you mean on the ASA or AIP-SSM module?

Show run policy-map:

!

policy-map global_policy

class inspection_default

  inspect netbios

  inspect dns

class class_ftp

  inspect ftp

class class_ftp1

  inspect ftp

policy-map type inspect h323 H323_Map_100

description H323 Policy Map

parameters

  call-party-numbers

  h245-tunnel-block action log

  state-checking h225

  state-checking ras

  rtp-conformance enforce-payloadtype

match media-type audio

  drop log

match media-type video

  drop log

match media-type data

  drop log

policy-map type inspect netbios NetBIOS_Map_100

description NetBIOS Intrusion Detection Map

parameters

  protocol-violation action log

policy-map type inspect http HTTP-Map-100

parameters

  body-match-maximum 256

  protocol-violation action log

match req-resp content-type mismatch

  log

match request header content-type violation

  log

match response header content-type violation

  log

class _default_gator

  drop-connection log

class _default_kazaa

  drop-connection log

class _default_http-tunnel

  drop-connection log

class _default_gnu-http-tunnel

  drop-connection log

class _default_httport-tunnel

  drop-connection log

class _default_firethru-tunnel

  drop-connection log

class _default_GoToMyPC-tunnel

  drop-connection log

class _default_windows-media-player-tunnel

  drop-connection log

class _default_shoutcast-tunneling-protocol

  drop-connection log

class _default_msn-messenger

  drop-connection log

class _default_aim-messenger

  drop-connection log

class _default_yahoo-messenger

  drop-connection log

match request method post

  log

match request method put

  log

match request method trace

  log

match request method delete

  log

match request method options

  log

match request method connect

  log

match request method get

  log

match request method head

  log

match request method unlock

  log

match request method edit

  log

match request method save

  log

match request method mkdir

  log

match request method copy

  log

match request method lock

  log

match request method index

  log

match request method move

  log

match request method unedit

  log

match request header transfer-encoding chunked

  log

match response header transfer-encoding chunked

  log

match request header transfer-encoding compress

  log

match response header transfer-encoding compress

  log

match request header transfer-encoding deflate

  log

match response header transfer-encoding deflate

  log

match request header transfer-encoding gzip

  log

match response header transfer-encoding gzip

  log

match request header transfer-encoding identity

  log

match response header transfer-encoding identity

  log

policy-map type inspect ftp FTP-Map-100

parameters

  mask-banner

  mask-syst-reply

policy-map type inspect dns DNS_Map_100

description DNS Policy_Map

parameters

  message-length maximum 4096

  id-randomization

  id-mismatch action log

policy-map type inspect sip SIP_Map_100

description SIP Intrusion prevention Policy Map

parameters

  ip-address-privacy

  max-forwards-validation action log

  state-checking action drop-connection log

  software-version action mask log

  strict-header-validation action drop log

  no traffic-non-sip

  uri-non-sip action mask log

  rtp-conformance enforce-payloadtype

policy-map type inspect skinny SCCP_Map_100

description Skinny Protocol Inspection Map

parameters

  enforce-registration

  message-id max 0x141

  sccp-prefix-len max 65536

  timeout media 0:01:00

  timeout signaling 0:05:00

  rtp-conformance enforce-payloadtype

policy-map global-policy

description Policy for IPS Sensor

class global-class

  inspect sqlnet

  inspect xdmcp

  inspect tftp

  inspect icmp error

  inspect rtsp

  inspect sunrpc

  inspect mgcp

  inspect pptp

  inspect ctiqbe

  inspect rsh

  inspect icmp

  inspect ils

  inspect snmp SNMP-Map-100

  inspect http HTTP-Map-100

  inspect ftp strict FTP-Map-100

  inspect dns DNS_Map_100

  inspect netbios NetBIOS_Map_100

  inspect sip SIP_Map_100

  inspect skinny SCCP_Map_100

  inspect h323 h225 H323_Map_100

  inspect h323 ras H323_Map_100

class IPS_Class_10

  ips inline fail-open

  set connection advanced-options TCP-Norm-Map-100

policy-map type inspect im Instant_Messaging_Inspect_Map_100

description Policy Map to detect and log Instant Messaging and Tunnelling protocols within IM and HTTP tunnels

parameters

match protocol msn-im yahoo-im

  log

match version regex _default_GoToMyPC-tunnel

  log

match version regex _default_GoToMyPC-tunnel_2

  log

match version regex _default_aim-messenger

  log

match version regex _default_firethru-tunnel_1

  log

match version regex _default_firethru-tunnel_2

  log

match version regex _default_gator

  log

match version regex _default_gnu-http-tunnel_arg

  log

match version regex _default_gnu-http-tunnel_uri

  log

match version regex _default_http-tunnel

  log

match version regex _default_httport-tunnel

  log

match version regex _default_icy-metadata

  log

match version regex _default_msn-messenger

  log

match version regex _default_shoutcast-tunneling-protocol

  log

match version regex _default_windows-media-player-tunnel

  log

match version regex _default_x-kazaa-network

  log

match service chat conference games voice-chat webcam

  log

policy-map type inspect dns DNS_MAP_110

parameters

  message-length maximum 4096

  id-randomization

  id-mismatch action log

  tsig enforced action log

!

Show run service-policy:

service-policy global_policy global

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to jafaruddinlie

‎09-16-2010 06:44 PM

Hello,

Probably the IPS is checking all the traffic and triggering the alarm. Can you include the following line in the access-list for IPS class?

access-list line 1 deny ip host host

Hope this helps.

Regards,

NT

BTW, Nagaraja means King Cobra

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card