10-29-2012 02:22 AM - edited 03-11-2019 05:15 PM
Hi there
I can't telnet from a host(Ubuntu 12.10) in our DMZ to an outside MX on port TCP 587.
Inspection for ESMTP not enabled. Port 587 enabled for host in DMZ to any.
Anyone has an idea why ?
Best Regards
David
Solved! Go to Solution.
10-31-2012 11:09 PM
Hello,
Actually looks like the server does not reply on that port, so it does not look like an ASA or ISP issue... We only see the SYN packet.
The capture is confusing to be honest with you.
Do the following using the CLI!
capture dmz interface dmz match tcp host 192.168.221.71 host 80.74.140.62 eq 587
capture out interface out match tcp host outside_ip_192.168 host 80.73.140.62 31 587
cap asp type asp-drop all circular-buffer
Where outside_ip_192.168 is the global nat ip address the dmz subnet is using on the internet.
After you create the traffic, try to connect and provide
sho cap dmz
sho cap out
sho cap asp | include 80.73.140.62.31
I will provide you the answer afterwards
Remember to rate all of the helpful posts
Julio
10-29-2012 02:33 AM
Hi,
In this situation your best bet is to
- Jouni
10-29-2012 08:16 AM
Hi Jouni
- Realtime logs don't show anything.(Debugging mode)
- Packet-tracert shows packet is allowed.
But i don't get through. If I telnet to port 465, that works without problems, but 587 doesn't work.
If i do a telnet on another internetline where the firewall isn't an ASA, the telnet to Port 587 works.
Could it be that the inspection of WAAS traffic (Port 1-65536) is blocking it ?
Is there something special with ASA and Telnet (from Windows and Linux) ?
Best Regards
David
10-29-2012 09:46 AM
Hello David,
Is there something special with ASA and Telnet (from Windows and Linux) ? Not at all.
I would recommend you to run a capture
capture capout interface outside match tcp host outside_ip host public_mx_server_ip
capture capin interface inside match tcp host outside_ip host private_mx_server_ip
Now try to connect and then check what happens with the data being exchanged?
show cap capin
show cap capout
Do you see the same packets on both interface ( same amount of packets,etc)
Does the 3 way handshake ocurs?
Regards,
Julio
Remember to rate all of the helpful posts
10-30-2012 02:05 AM
if u see packet going out from the firewall , then do a "netstat" under cmd and check wheather 587 is open or not or if anyone else is able to establish on 587 port with that pc.
10-30-2012 07:46 AM
Hi Julio
I did a capture. On the Ingress i did see the traffic, but on the engress i did not see any traffic.
I will ask now the provider if they block that port.
Best Regards
David
10-30-2012 10:09 AM
Hello David,
What do you mean by:
I did a capture. On the Ingress i did see the traffic, but on the engress i did not see any traffic.
Do you mean you see the traffic on the outside interface but not on the Inside interface?
Regards,
10-31-2012 12:06 AM
Hi Julio
I did a capture with ASDM according to the following link:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Yes on the ingress the captured traffice is below and on the egress the packet capturing didn't show any
traffic.
The capture below shows that a connection to port 465 works, but to port 587 it doesn't.
Below the capture
18 packets captured
1: 07:55:59.208958 192.168.221.71.33194 > 80.74.140.62.465: S 3173494280:3173494280(0) win 14600
2: 07:55:59.211979 80.74.140.62.465 > 192.168.221.71.33194: S 2298408664:2298408664(0) ack 3173494281 win 5792
3: 07:55:59.212131 192.168.221.71.33194 > 80.74.140.62.465: . ack 2298408665 win 115
4: 07:56:01.583984 192.168.221.71.33194 > 80.74.140.62.465: P 3173494281:3173494287(6) ack 2298408665 win 115
5: 07:56:01.586532 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494287 win 5792
6: 07:56:01.712975 192.168.221.71.33194 > 80.74.140.62.465: P 3173494287:3173494289(2) ack 2298408665 win 115
7: 07:56:01.715508 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494289 win 5792
8: 07:56:01.853532 192.168.221.71.33194 > 80.74.140.62.465: P 3173494289:3173494291(2) ack 2298408665 win 115
9: 07:56:01.856126 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494291 win 5792
10: 07:56:04.375209 192.168.221.71.33194 > 80.74.140.62.465: P 3173494291:3173494297(6) ack 2298408665 win 115
11: 07:56:04.377727 80.74.140.62.465 > 192.168.221.71.33194: . ack 3173494297 win 5792
12: 07:56:04.379802 80.74.140.62.465 > 192.168.221.71.33194: P 2298408665:2298408770(105) ack 3173494297 win 5792
13: 07:56:04.379969 80.74.140.62.465 > 192.168.221.71.33194: R 2298408770:2298408770(0) ack 3173494297 win 5792
14: 07:56:04.380000 192.168.221.71.33194 > 80.74.140.62.465: . ack 2298408770 win 115
15: 07:56:07.052716 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
16: 07:56:08.049100 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
17: 07:56:10.053204 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
18: 07:56:14.061398 192.168.221.71.42608 > 80.74.140.62.587: S 793019550:793019550(0) win 14600
18 packets shown
Best Regards
David
10-31-2012 10:38 AM
Hello David,
Check the Reset packet:
13: 07:56:04.379969 80.74.140.62.465 > 192.168.221.71.33194: R 2298408770:2298408770(0) ack 3173494297 win 5792
Looks like the host 80.74 is closing the connection!
10-31-2012 10:50 PM
Hi Julio
Yes but the reset belongs to the telnet to Port 465 and that works. From Port 587 i don't even
get a reset. I'm in contact now with our provider who says that they don't block any port, but
also can't telnet to Port 587 from a router in front of the ASA, very strange. I will update the
post as soon as i have the resolution.
Best Regards
David
10-31-2012 11:09 PM
Hello,
Actually looks like the server does not reply on that port, so it does not look like an ASA or ISP issue... We only see the SYN packet.
The capture is confusing to be honest with you.
Do the following using the CLI!
capture dmz interface dmz match tcp host 192.168.221.71 host 80.74.140.62 eq 587
capture out interface out match tcp host outside_ip_192.168 host 80.73.140.62 31 587
cap asp type asp-drop all circular-buffer
Where outside_ip_192.168 is the global nat ip address the dmz subnet is using on the internet.
After you create the traffic, try to connect and provide
sho cap dmz
sho cap out
sho cap asp | include 80.73.140.62.31
I will provide you the answer afterwards
Remember to rate all of the helpful posts
Julio
11-07-2012 05:14 AM
Hello Together
After doing more reasearch with our ISP and on port 587, it seems that the port is not really listening.
Earlier telnet tests to this port over other firewalls/internet lines have shown now with tcpview that the
virusscanner has redirected telnet sessions to port 465.
So no ASA issue at all.
Thanks to all for the answers.
Best Regards
David
11-07-2012 09:37 AM
Hello David,
Glad to know that I could help,
Please rate all of the answers ( If you do not know how just go to the stars at the bottom of each reply and mark the 5 stars ( 1 being a bad answer, 5 being a good answer)
Also mark the question as answered as you are the only one able to do that,
Regards.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide