topic Re: ASA-5506x TLS issue in Network Security

ASA-5506x TLS issue

Jack-ITP — Fri, 21 Feb 2020 14:17:35 GMT

Installed an ASA-5506x on a client site - when a vendor sends the email using TLS they get < #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) 'TLS Unavailable' (delivery attempts: 0)>'. Disabled the esmtp fixup protocol with no sucess. Tried allowing TLS using:

policy-map type inspect esmtp esmtp_map
    parameters
        allow-tls action log
policy-map global_policy
    class inspection_default
        inspect esmtp esmtp_map

And then they receive "Remote Server returned '500 5.3.3 Unrecognized command'".

Any idea on what I'm missing? Thanks.

Re: ASA-5506x TLS issue

jumora1 — Mon, 11 Sep 2017 17:36:02 GMT

Can you communicate with that service locally? I mean if you are on the same network is this service enabled on the server

Re: ASA-5506x TLS issue

Jack-ITP — Mon, 11 Sep 2017 17:44:47 GMT

We can - the network used to use a Netgear FVS-318 as the firewall and TLS email came through fine, only change was replacing the Netgear with the Cisco. All other email flow is normal.

Jack

Re: ASA-5506x TLS issue

jumora1 — Mon, 11 Sep 2017 18:10:15 GMT

I would need the configuration and if possible enable logging on the ASA to check if there is something being blocked

Re: ASA-5506x TLS issue

Jack-ITP — Mon, 11 Sep 2017 18:23:21 GMT

Here is the config:

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname xxxxxx
domain-name xxx.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xx.xx.xx.xx
255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.21.63.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name xxx.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-172.21.63.11
host 172.21.63.11
access-list 101 extended permit tcp any object obj-172.21.63.11 eq smtp
access-list 101 extended permit tcp any object obj-172.21.63.11 eq www
access-list 101 extended permit tcp any object obj-172.21.63.11 eq https
access-list 101 extended permit tcp any object obj-172.21.63.11 eq pptp
access-list 101 extended permit gre any any
access-list 101 extended permit tcp any object obj-172.21.63.11 eq 8585
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network obj-172.21.63.11
nat (any,any) static xxx.xxx.xxx.xxx
!
nat (inside,outside) after-auto source dynamic any interface
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 172.21.63.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.21.63.5-172.21.63.254 inside
!
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:866d293a9fbafdf3017c9d528e7e3046
: end

Re: ASA-5506x TLS issue

jumora1 — Tue, 12 Sep 2017 11:05:19 GMT

Can you get me logs and captures of when the connection attempt is happening to see what the firewall shows?

Enable
config t
logging asdm debugging

Then you go to monitoring tab over ASDM and then select logging real time.
You can filter from the specific address that you are testing from.

Also we could setup captures to see if packets go through correctly.

capture out interface outside match ip host X host B
capture in interface inside match ip host X host A

A the local address of the server
B the translated address of the server

We can also setup a capture for asp to see if we see anything in particular.

capture asp type asp all

If you like we can maybe do a remote session or skype to see if we can get this resolved together.

Re: ASA-5506x TLS issue

Jack-ITP — Tue, 12 Sep 2017 16:19:10 GMT

It looks like the remote server establishes a connection:

Sep 12 2017 09:52:01 302013 172.21.63.11 47405 12.34.36.36 25 Built outbound TCP connection 2354351 for outside:12.xx.xx.xx/25 (12.xx.xx.xx/25) to inside:172.21.63.11/47405 (96.xx.xx.xx/47405)

Then drops it:

6 Sep 12 2017 09:52:04 106015 172.21.63.11 47405 12.xx.xx.xx 25 Deny TCP (no connection) from 172.21.63.11/47405 to 12.xx.xx.xx/25 flags RST on interface inside

With the details showing:

%ASA-6-106015

Re: ASA-5506x TLS issue

jumora1 — Thu, 14 Sep 2017 12:13:48 GMT

Please run the filter on the ASDM monitoring logging option one more time when you attempt the connection.

Use the filter option because that deny no connection refers to a connection that has already been closed.

I would also suggest to try to establish a telnet session over port 25 to a another public mail server to see if you get a response.

telnet test.smtp.org 25

This is the result that you should get

220 test.smtp.org ESMTP Sendmail 8.16.0.16 ready at Thu, 14 Sep 2017 12:12:31 GMT; see http://test.smtp.org/

If you don't get a response I would suggest to talk to your ISP