cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1042
Views
0
Helpful
1
Replies

ASA inspect esmtp

Andrej Zverev
Level 1
Level 1

Hello, i have ASA 5520 with Cisco Adaptive Security Appliance Software Version 8.2(5)41 (latest 8.2 interim)

I found what one smtp server (from customer side) can't send mail to our smtp server via ASA.

In logs i see following:

18 2013 19:27:29 asa5520 : %ASA-7-609001: Built local-host outside:80.66.94.202

18 2013 19:27:29 asa5520 : %ASA-6-302013: Built inbound TCP connection 183339271 for outside:80.66.94.202/25437 (80.66.94.202/25437) to inside:91.223.93.133/25 (91.223.93.133/25)

18 2013 19:27:30 asa5520 : %ASA-4-507003: tcp flow from outside:80.66.94.202/25437 to inside:91.223.93.133/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.

18 2013 19:27:30 asa5520 : %ASA-6-302014: Teardown TCP connection 183339271 for outside:80.66.94.202/25437 to inside:91.223.93.133/25 duration 0:00:00 bytes 311 Flow closed by inspection

18 2013 19:27:30 asa5520 : %ASA-7-609002: Teardown local-host outside:80.66.94.202 duration 0:00:00

Apr 18 2013 19:27:30 asa5520 : %ASA-7-609001: Built local-host outside:80.66.94.202

Apr 18 2013 19:27:30 asa5520 : %ASA-6-106015: Deny TCP (no connection) from 80.66.94.202/25437 to 91.223.93.133/25 flags ACK  on interface outside

No reason why inspection engine droped it. If i disable inspect esmtp all works fine.

I tried to capture asp-drops but there no information.

I tried debug esmtp 255 but without proper decoder it's useless

I tried capture traffic from interface but i can't say what exactly wrong and how tune ASA settings for this.

I looked over TAC bugs and no luck.

My policy map for esmtp:

policy-map type inspect esmtp custom_esmtp_map

parameters

match cmd line length gt 512

  drop-connection log

match cmd RCPT count gt 100

  drop-connection log

match body line length gt 998

  log

match sender-address length gt 320

  drop-connection log

match MIME filename length gt 255

  drop-connection log

match ehlo-reply-parameter others

  mask

Well, question is how to understand reason of drop? workaround is to disable inspect esmtp.

Please, help :-)

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Andrej,

Well you have play with your SMTP policy so any SMTP connection that does not conform with the policies you have set and the RFC ( as we do a reenforcement here)

So my recommendation is to :

do a debug esmtp 255

I know the debug ouput is not that clear so you can open a TAC with us for that,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card