Just to make sure you are

jameswhitlock1 · ‎10-15-2014

I have a fingerprint scanner that emails the record to a central processing facility. The traffic goes out of my workstation, through a Cisco 1800, then through the ASA. The reciever reports that the received traffic is all "XXXXXX".

I've narrowed it down to smtp inspection per: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113423-asa-esmtp-smtp-inspection.html

I don't have inspection enabled. Do I need to enable it? Please help!

Cisco 1800

Current configuration : 3329 bytes
!
version 12.4

!
!
ip ssh version 2
!
!
interface FastEthernet0/0
ip address x.x.40.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address x.x.37.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
switchport mode trunk
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address x.x.11.1 255.255.255.0
!
interface Vlan172
ip address x.x.16.1 255.255.255.0
ip access-group 100 in
!
ip route 0.0.0.0 0.0.0.0 x.x.40.4
ip route 162.143.0.0 255.255.0.0 x.x.37.4
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 100 deny ip x.x.16.0 0.0.0.255 x.x.11.0 0.0.0.255
access-list 100 deny ip x.x.16.0 0.0.0.255 x.x.37.0 0.0.0.255
access-list 100 remark Deny Guest VLAN to private VLANs
access-list 100 deny ip x.x.16.0 0.0.0.255 162.143.0.0 0.0.255.255
access-list 100 permit ip x.x.16.0 0.0.0.255 any
snmp-server community xxxxxx RO
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line aux 0
line vty 0 4
password Wind123!!
login local
transport input ssh
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

ASA:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(2)
!
hostname WPD-INTERNET-FW
!
interface Vlan10
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan20
nameif inside
security-level 100
ip address x.x.40.4 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet0/4
switchport access vlan 20
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa802-k8.bin
boot system disk0:/asa724-k8bin
no ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxxx
same-security-traffic permit inter-interface
access-list SMTP_IN extended permit tcp any eq smtp any
access-list outbound extended permit tcp host x.x.11.116 any eq smtp
access-list outbound extended deny tcp any any eq smtp
access-list outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any x.x.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN x.x.40.100-x.x.40.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 x.x.16.0 255.255.255.0
nat (inside) 10 x.x.11.0 255.255.255.0
nat (inside) 10 x.x.40.0 255.255.255.0
route inside x.x.16.0 255.255.255.0 x.x.40.2 1
route inside x.x.11.0 255.255.255.0 x.x.40.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http x.x.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.11.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect http
policy-map inspect
!
service-policy global_policy global
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
dns-server value x.x.11.10
vpn-tunnel-protocol IPSec
default-domain value xxxxx.local
username xxxxx password xxxxx encrypted privilege 15
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
address-pool VPN
default-group-policy CiscoVPN
tunnel-group CiscoVPN ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxxxxxx
: end

Some info redacted, of course.

Here is the response on the receiving end:

Protocol SMTP interface CJNET (IP x.x.x.x) on incoming connection from sender IP (x.x.x.x). Revers DNS host None verified no.

(ICID 7481238) ACCEPT sender group Verified match sbrs(none) SBRS None

(ICID 7481238) Unkown command: XXXXXXXX.

That last line with XXXXXXX is actual, non redacted text.

Benjamin Crites · ‎10-20-2014

On your ASA try:

policy-map global_policy

class inspection_default

inspect SMTP

inspect ESMTP

alexander.koeppe · ‎01-20-2015

I have this problem as well.

At the moment, I only discovered this in relation to Windows 8 OS as the SMTP client.

Emulating the SMTP dialog using a telnet session, I've been able to capture the difference between a Linux (where it's working) and a Windows 8 (where it doesn't work).

Under Linux, the complete line typed into telnet is being sent to the server through the ASA in one packet.

Under Windows 8, 1-2 characters are sent in separate packets through the ASA which have to be reassembled.

I've the inspection enabled with default parameters. I guess the inspection engine has an issue, if the SMTP command is split over multiple packets.

rosaho · ‎07-30-2015

This discussion has been reposted from Additional Communities to the Email Security community.

Tom Foucha · ‎08-21-2015

Just to make sure you are aware. IF you enable "inspect ESMTP" then TLS will not work for the ESA. Inspect ESMTP on ASA does not allow the STARTTLS command without additional configuration therefore any incoming email will never be able to establish a TLS session to the Email Security Appliance. Best practice is to disable inspect SMTP/ESMTP on ASA and let the ESA handle TLS communications.

http://www.cisco.com/web/about/security/intelligence/asa_esmtp_starttls.html

Note is has changed from earlier versions of ASA where STARTTLS was not supported. Please check your version of ASA code before making any changes.

Tom

SMTP Inspection coming through all XXXXX