cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2629
Views
0
Helpful
12
Replies

Cisco ASA 5510, telnet to outside mx 587 doesn't work, no inspection for esmtp configured

Hi there

I can't telnet from a host(Ubuntu 12.10) in our DMZ to an outside MX on port TCP 587.

Inspection for ESMTP not enabled. Port 587 enabled for host in DMZ to any.

Anyone has an idea why ?

Best Regards

David                  

1 Accepted Solution

Accepted Solutions

Hello,

Actually looks like the server does not reply on that port, so it does not look like an ASA or ISP issue... We only see the SYN packet.

The capture is confusing to be honest with you.

Do the following using the CLI!

capture dmz interface dmz match tcp host 192.168.221.71 host 80.74.140.62 eq 587

capture out interface out match tcp host outside_ip_192.168 host 80.73.140.62 31 587

cap asp type asp-drop all circular-buffer

Where outside_ip_192.168 is the global nat ip address the dmz subnet is using on the internet.

After you create the traffic, try to connect and provide

sho cap dmz

sho cap out

sho cap asp | include 80.73.140.62.31

I will provide you the answer afterwards

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

In this situation your best bet is to

  • Look at realtime log messages on ASDM using the source IP address as filter for example (And provide those logs here)
  • Capture traffic on the interface(s)
  • Do "packet-tracer" for the traffic your trying to simulate (And provide the output here)
    • packet-tracer input

- Jouni

Hi Jouni

- Realtime logs don't show anything.(Debugging mode)

- Packet-tracert shows packet is allowed.

But i don't get through.  If I telnet to port 465, that works without problems, but 587 doesn't work.

If i do a telnet on another internetline where the firewall isn't an ASA, the telnet to Port 587 works.

Could it be that the inspection of WAAS traffic (Port 1-65536) is blocking it ?

Is there something special with ASA and Telnet (from Windows and Linux) ?

Best Regards

David

Julio Carvajal
VIP Alumni
VIP Alumni

Hello David,

Is there something special with ASA and Telnet (from Windows and Linux) ? Not at all.

I would recommend you to run a capture

capture capout  interface outside match tcp host outside_ip  host public_mx_server_ip

capture capin interface inside match tcp host outside_ip host private_mx_server_ip

Now try to connect and then check what happens with the data being exchanged?

show cap capin

show cap capout

Do you see the same packets on both interface ( same amount of packets,etc)

Does the 3 way handshake ocurs?

Regards,

Julio

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

if u see packet going out from the firewall , then do a "netstat" under cmd and check wheather 587 is open or not or if anyone else is able to establish on 587 port with that pc.

Hi Julio

I did a capture. On the Ingress i did see the traffic, but on the engress i did not see any traffic.

I will ask now the provider if they block that port.

Best Regards

David

Hello David,

What do you mean by:

I did a capture. On the Ingress i did see the traffic, but on the engress i did not see any traffic.

Do you mean you see the traffic on the outside interface but not on the Inside interface?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio

I did a capture with ASDM according to the following link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Yes on the ingress the captured traffice is below and on the egress the packet capturing didn't show any

traffic.

The capture below shows that a connection to port 465 works, but to port 587 it doesn't.

Below the capture

18 packets captured

   1: 07:55:59.208958 192.168.221.71.33194 > 80.74.140.62.465: S 3173494280:3173494280(0) win 14600
   2: 07:55:59.211979 80.74.140.62.465 > 192.168.221.71.33194: S 2298408664:2298408664(0) ack 3173494281 win 5792
   3: 07:55:59.212131 192.168.221.71.33194 > 80.74.140.62.465: . ack 2298408665 win 115
   4: 07:56:01.583984 192.168.221.71.33194 > 80.74.140.62.465: P 3173494281:3173494287(6) ack 2298408665 win 115
   5: 07:56:01.586532 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494287 win 5792
   6: 07:56:01.712975 192.168.221.71.33194 > 80.74.140.62.465: P 3173494287:3173494289(2) ack 2298408665 win 115
   7: 07:56:01.715508 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494289 win 5792
   8: 07:56:01.853532 192.168.221.71.33194 > 80.74.140.62.465: P 3173494289:3173494291(2) ack 2298408665 win 115
   9: 07:56:01.856126 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494291 win 5792
  10: 07:56:04.375209 192.168.221.71.33194 > 80.74.140.62.465: P 3173494291:3173494297(6) ack 2298408665 win 115
  11: 07:56:04.377727 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494297 win 5792
  12: 07:56:04.379802 80.74.140.62.465 > 192.168.221.71.33194: P 2298408665:2298408770(105) ack 3173494297 win 5792
  13: 07:56:04.379969 80.74.140.62.465 > 192.168.221.71.33194: R 2298408770:2298408770(0) ack 3173494297 win 5792
  14: 07:56:04.380000 192.168.221.71.33194 > 80.74.140.62.465: . ack 2298408770 win 115
  15: 07:56:07.052716 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
  16: 07:56:08.049100 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
  17: 07:56:10.053204 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
  18: 07:56:14.061398 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
18 packets shown

Best Regards

David

Hello David,

Check the Reset packet:

  13: 07:56:04.379969 80.74.140.62.465 > 192.168.221.71.33194: R 2298408770:2298408770(0) ack 3173494297 win 5792

Looks like the host 80.74 is closing the connection!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio

Yes but the reset belongs to the telnet to Port 465 and that works. From Port 587 i don't even

get a reset. I'm in contact now with our provider who says that they don't block any port, but

also can't telnet to Port 587 from a router in front of the ASA, very strange. I will update the

post as soon as i have the resolution.

Best Regards

David

Hello,

Actually looks like the server does not reply on that port, so it does not look like an ASA or ISP issue... We only see the SYN packet.

The capture is confusing to be honest with you.

Do the following using the CLI!

capture dmz interface dmz match tcp host 192.168.221.71 host 80.74.140.62 eq 587

capture out interface out match tcp host outside_ip_192.168 host 80.73.140.62 31 587

cap asp type asp-drop all circular-buffer

Where outside_ip_192.168 is the global nat ip address the dmz subnet is using on the internet.

After you create the traffic, try to connect and provide

sho cap dmz

sho cap out

sho cap asp | include 80.73.140.62.31

I will provide you the answer afterwards

Remember to rate all of the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Together

After doing more reasearch with our ISP and on port 587, it seems that the port is not really listening.

Earlier telnet tests to this port over other firewalls/internet lines have shown now with tcpview that the

virusscanner has redirected telnet sessions to port 465.

So no ASA issue at all.

Thanks to all for the answers.

Best Regards

David

Hello David,

Glad to know that I could help,

Please rate all of the answers ( If you do not know how just go to the stars at the bottom of each reply and mark the  5 stars ( 1 being a bad answer, 5 being a good answer)

Also mark the question as answered as you are the only one able to do that,

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: