Re: ASA SMTP capture

nishit.patel · ‎03-06-2009

Urgent help

Our ISP have black listed us due to them recieveing lots of SMTP traffice from us.

We need to find out the source of the issue from the inside sending SMTP traffice to outside.

Is their a way to capture smtp traffice on the ASA. and also who is sending it.

Collin Clark · ‎03-06-2009

Here's a quick fix you should do first. In your ACL permit your internal mail server to send SMTP and block everyone else. This should go at the top of your ACL.

access-list inside_acl permit tcp host mymailserver any eq smtp

access-list inside_acl deny tcp any any eq smtp log

That will prevent the email from getting out sourcing from anything other than your approved mail server. Next you can take a look at your logs and see who is getting denied. The logs are generated from the log keyword at the end of the ACL line #2.

Hope that helps.

michael_dean · ‎03-06-2009

You can run a capture on the ASA.

1) Create an ACL to identify the traffic you want to capture

access-list TEST permit tcp any any eq smtp

2) Create the capture statement:

capture MY-CAP access-list TEST interface inside

If you want to see the entire packet you would need to add the "packet-length 1522"

capture MY-CAP access-list TEST packet-length 1522 interface inside

You can then do a "show capture MYCAP" to see the traffic.

If you want to download the capture to a sniffer, you have to do that while the capture is running you do that from a browser with the URL https:///capture//pcap

NOTE: This assumes that the interface on your ASA is named "inside"