Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA inpection of ESMTP

I'm having a problem with outbound mail connecting to nauticom.com. The application inspection on the ASA is doing something to the packet out the door that nauticom doesn't like. I can telnet to their server on port 25 and try an "ehlo", the server responds with " I don't understand xxx.xxx.xxx" and it is x's that their server sees. I verified that its the ASA because I removed the inspection from the default policy and it worked fine. What is the ASA possibly doing to the packet? What would be the best work around here because I would like the ASA to inspect esmtp packets. I currently inserted a class-map into the policy that inspects inbound only esmtp packets and that works. Is it bad practice not to inspect the outbound packets?

3 REPLIES
New Member

Re: ASA inpection of ESMTP

Just to let you know, we've encountered a problem with the fixup running 7.2.1(20). The bug id is CSCsg52277 and there are currently no fix for it.

As far as telnet on port 25. I believe the fixup does not like the fact that when you are telneting more than 1 packet is received for each letter making up a command as opposed to sending a whole command in one packet.

New Member

Re: ASA inpection of ESMTP

Thanks for the update. This helps and explains alot. Although it doesn't happen if I try telneting on port 25 to say Yahoo. Just Nauticom, would this be the way that Nauticom is responding back to the "ehlo" command?

Bronze

Re: ASA inpection of ESMTP

Robert,

The doc mentions something about unknown commands - this is from the 7.2 command reference (check the last few lines)

"SMTP server responds to client requests with numeric reply codes and optional human readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:

Restricts SMTP requests to seven basic SMTP commands and eight extended commands.

Monitors the SMTP command-response sequence.

Generates an audit trail Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more information, see RFC 821.

SMTP inspection monitors the command and response sequence for the following anomalous signatures:

Truncated commands.

Incorrect command termination (not terminated with ).

If the PIPE signature is found as a parameter to a MAIL from or RCPT to command, the session is closed. It is not configurable by the user.

Unexpected transition by the SMTP server.

For unknown commands, the security appliance changes all the characters in the packet to X. In this case, the server will generate an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted. "

Now why it's an unknown command I'm not quite sure. Have you tried an actual mail client versus telnet?

--Jason

Please rate this message if it helped.

299
Views
0
Helpful
3
Replies
CreatePlease to create content