I'm having a problem with outbound mail connecting to nauticom.com. The application inspection on the ASA is doing something to the packet out the door that nauticom doesn't like. I can telnet to their server on port 25 and try an "ehlo", the server responds with " I don't understand xxx.xxx.xxx" and it is x's that their server sees. I verified that its the ASA because I removed the inspection from the default policy and it worked fine. What is the ASA possibly doing to the packet? What would be the best work around here because I would like the ASA to inspect esmtp packets. I currently inserted a class-map into the policy that inspects inbound only esmtp packets and that works. Is it bad practice not to inspect the outbound packets?
Just to let you know, we've encountered a problem with the fixup running 7.2.1(20). The bug id is CSCsg52277 and there are currently no fix for it.
As far as telnet on port 25. I believe the fixup does not like the fact that when you are telneting more than 1 packet is received for each letter making up a command as opposed to sending a whole command in one packet.
Thanks for the update. This helps and explains alot. Although it doesn't happen if I try telneting on port 25 to say Yahoo. Just Nauticom, would this be the way that Nauticom is responding back to the "ehlo" command?
The doc mentions something about unknown commands - this is from the 7.2 command reference (check the last few lines)
"SMTP server responds to client requests with numeric reply codes and optional human readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
Monitors the SMTP command-response sequence.
Generates an audit trail Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more information, see RFC 821.
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
Incorrect command termination (not terminated with ).
If the PIPE signature is found as a parameter to a MAIL from or RCPT to command, the session is closed. It is not configurable by the user.
Unexpected transition by the SMTP server.
For unknown commands, the security appliance changes all the characters in the packet to X. In this case, the server will generate an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted. "
Now why it's an unknown command I'm not quite sure. Have you tried an actual mail client versus telnet?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :