cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1471
Views
0
Helpful
7
Replies

ASA-5506x TLS issue

Jack-ITP
Level 1
Level 1

Installed an ASA-5506x on a client site - when a vendor sends the email using TLS they get < #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) 'TLS Unavailable' (delivery attempts: 0)>'. Disabled the esmtp fixup protocol with no sucess. Tried allowing TLS using:

policy-map type inspect esmtp esmtp_map
    parameters
        allow-tls action log
policy-map global_policy
    class inspection_default
        inspect esmtp esmtp_map

 

And then they receive "Remote Server returned '500 5.3.3 Unrecognized command'".

Any idea on what I'm missing? Thanks.

 

7 Replies 7

jumora1
Level 1
Level 1

Can you communicate with that service locally? I mean if you are on the same network is this service enabled on the server

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

We can - the network used to use a Netgear FVS-318 as the firewall and TLS email came through fine, only change was replacing the Netgear with the Cisco. All other email flow is normal.

 

Jack

I would need the configuration and if possible enable logging on the ASA to check if there is something being blocked

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

Here is the config:

 

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname xxxxxx
domain-name xxx.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx
 255.255.255.248
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 172.21.63.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name xxx.local
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-172.21.63.11
 host 172.21.63.11
access-list 101 extended permit tcp any object obj-172.21.63.11 eq smtp
access-list 101 extended permit tcp any object obj-172.21.63.11 eq www
access-list 101 extended permit tcp any object obj-172.21.63.11 eq https
access-list 101 extended permit tcp any object obj-172.21.63.11 eq pptp
access-list 101 extended permit gre any any
access-list 101 extended permit tcp any object obj-172.21.63.11 eq 8585
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
object network obj-172.21.63.11
 nat (any,any) static xxx.xxx.xxx.xxx
!
nat (inside,outside) after-auto source dynamic any interface
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 172.21.63.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.21.63.5-172.21.63.254 inside
!
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:866d293a9fbafdf3017c9d528e7e3046
: end

Can you get me logs and captures of when the connection attempt is happening to see what the firewall shows?

Enable
config t
logging asdm debugging

Then you go to monitoring tab over ASDM and then select logging real time.
You can filter from the specific address that you are testing from.

Also we could setup captures to see if packets go through correctly.

capture out interface outside match ip host X host B
capture in interface inside match ip host X host A

A the local address of the server
B the translated address of the server

We can also setup a capture for asp to see if we see anything in particular.

capture asp type asp all

If you like we can maybe do a remote session or skype to see if we can get this resolved together.
Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com

It looks like the remote server establishes a connection:

 

Sep 12 2017 09:52:01 302013 172.21.63.11 47405 12.34.36.36 25 Built outbound TCP connection 2354351 for outside:12.xx.xx.xx/25 (12.xx.xx.xx/25) to inside:172.21.63.11/47405 (96.xx.xx.xx/47405)

 

Then drops it:

6 Sep 12 2017 09:52:04 106015 172.21.63.11 47405 12.xx.xx.xx 25 Deny TCP (no connection) from 172.21.63.11/47405 to 12.xx.xx.xx/25 flags RST  on interface inside

 

With the details showing:

 

%ASA-6-106015

Please run the filter on the ASDM monitoring logging option one more time when you attempt the connection.

 

Use the filter option because that deny no connection refers to a connection that has already been closed.

 

I would also suggest to try to establish a telnet session over port 25 to a another public mail server to see if you get a response.

 

telnet test.smtp.org 25

 

This is the result that you should get

220 test.smtp.org ESMTP Sendmail 8.16.0.16 ready at Thu, 14 Sep 2017 12:12:31 GMT; see http://test.smtp.org/

 

If you don't get a response I would suggest to talk to your ISP

Security Engineer
juanmh8419@gmail.com
Skype: juanmh8419@hotmail.com
Review Cisco Networking for a $25 gift card