03-07-2013 03:11 AM - edited 03-11-2019 06:10 PM
Hi,
We've in our company a Cisco Asa 5510 v8.4(3), Asdm 6.4(7) and a SSM-CSC-10-K9. The firewall is in transparent mode. I get an exchange 2003 SP2 server behind. When users trying to send mailing lists with many recipients (above 300), the Exchange server didn't send these mails. I'm pretty sure that this problem come from the ASA Firewall, because when I plug my server directly on my Internet Connection, the mailing list is sent. I've search on the web, and disable "ESMTP Inspection", but it didn't work.
Here is my running config:
ASA Version 8.4(3)
!firewall transparent
hostname ciscoasadomain-name *****.com
enable password ****** encryptedpasswd ***** encrypted
names!
interface Ethernet0/0nameif INTERNET
bridge-group 1security-level 0
!interface Ethernet0/1
nameif LANbridge-group 1
security-level 100!
interface Ethernet0/2nameif EKNPC06
bridge-group 1security-level 100
!interface Ethernet0/3
shutdownno nameif
no security-level!
interface Management0/0shutdown
no nameifno security-level
management-only!
interface BVI1ip address 192.168.16.2 255.255.255.0
!ftp mode passive
clock timezone CEST 1clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNSdomain-name eikonlogistics.com
object-group protocol TCPUDPprotocol-object udp
protocol-object tcpaccess-list global_access extended permit tcp any any eq smtp
access-list global_access extended permit tcp any any eq wwwaccess-list global_access extended permit ip any any
access-list global_access extended permit tcp any any eq pop3 inactiveaccess-list global_access extended permit tcp any any eq https
access-list global_access extended permit udp any any eq domainaccess-list global_access extended permit object-group TCPUDP any any eq domain
access-list global_access extended permit tcp any anyaccess-list global_access extended permit icmp any any
access-list global_mpc remark Scan Pop3 en sortieaccess-list global_mpc extended permit tcp any any eq pop3
access-list global_mpc_1 extended permit tcp any any eq smtppager lines 40
logging enablelogging asdm informational
logging facility 16mtu INTERNET 1500
mtu LAN 1500mtu EKNPC06 1500
icmp unreachable rate-limit 1 burst-size 1no asdm history enable
arp timeout 14400access-group global_access global
timeout xlate 3:00:00timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCAL
aaa authentication ssh console LOCALhttp server enable
http 192.168.16.0 255.255.255.0 LANhttp 192.168.16.0 255.255.255.0 INTERNET
http authentication-certificate INTERNETno snmp-server location
no snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5ssh 192.168.16.0 255.255.255.0 INTERNET
ssh 192.168.16.0 255.255.255.0 LANssh timeout 5
ssh version 2console timeout 0
threat-detection basic-threatthreat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200username sshuser password ************ encrypted privilege 15
!class-map global-class
match access-list global_mpcclass-map inspection_default
match default-inspection-trafficclass-map csc-acl
class-map global-class1match access-list global_mpc_1
!!
policy-map type inspect dns preset_dns_mapparameters
message-length maximum client automessage-length maximum 512
policy-map global_policyclass global-class
csc fail-openclass global-class1
csc fail-openclass inspection_default
inspect dns preset_dns_mapinspect ftp
inspect h323 h225inspect h323 ras
inspect ip-optionsinspect netbios
inspect rshinspect rtsp
inspect sipinspect skinny
inspect sqlnetinspect sunrpc
inspect tftpinspect xdmcp
class class-default
user-statistics accounting!
service-policy global_policy globalprompt hostname context
no call-home reporting anonymoushpm topN enable
Cryptochecksum:***********
: end
Any advice would be appreciated.
Regards
03-09-2013 01:52 PM
You mentioned that you're using the CSC module, which amongst other things, also inspects SMTP traffic. I would suggest verifying the settings there, or temporarly removing the traffic redirection to the module in your policy map to verify if that is the cause of your issues.
Sent from Cisco Technical Support iPad App
03-11-2013 01:08 AM
Ok, i'll give it a try asap.
Thank You !
03-13-2013 01:35 AM
I've turned off the redirection to the CSC-SSM Module. My outgoing mailing list 's still blocked. Do i miss something (All mails with a few recipients are sent successfully)?
04-11-2013 05:56 AM
I've switched my config to routed mode, and disabled esmtp inspection, it's working fine now...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: