Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1366
Views
0
Helpful
4
Replies

[SOLVED] Cisco ASA 5510: SMTP issue

EIKONLOGISTICS
Level 1
Level 1

‎03-07-2013 03:11 AM - edited ‎03-11-2019 06:10 PM

Hi,

We've in our company a Cisco Asa 5510 v8.4(3), Asdm 6.4(7) and a SSM-CSC-10-K9. The firewall is in transparent mode. I get an exchange 2003 SP2 server behind. When users trying to send mailing lists with many recipients (above 300), the Exchange server didn't send these mails. I'm pretty sure that this problem come from the ASA Firewall, because when I plug my server directly on my Internet Connection, the mailing list is sent. I've search on the web, and disable "ESMTP Inspection", but it didn't work.

Here is my running config:

ASA Version 8.4(3) 
!

firewall transparent
hostname ciscoasa

domain-name *****.com
enable password ****** encrypted

passwd ***** encrypted
names

!
interface Ethernet0/0

 nameif INTERNET
 bridge-group 1

 security-level 0
!

interface Ethernet0/1
 nameif LAN

 bridge-group 1
 security-level 100

!
interface Ethernet0/2

 nameif EKNPC06
 bridge-group 1

 security-level 100
!

interface Ethernet0/3
 shutdown

 no nameif
 no security-level

!
interface Management0/0

 shutdown
 no nameif

 no security-level
 management-only

!
interface BVI1

 ip address 192.168.16.2 255.255.255.0 
!

ftp mode passive
clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS

 domain-name eikonlogistics.com
object-group protocol TCPUDP

 protocol-object udp
 protocol-object tcp

access-list global_access extended permit tcp any any eq smtp 
access-list global_access extended permit tcp any any eq www 

access-list global_access extended permit ip any any 
access-list global_access extended permit tcp any any eq pop3 inactive 

access-list global_access extended permit tcp any any eq https 
access-list global_access extended permit udp any any eq domain 

access-list global_access extended permit object-group TCPUDP any any eq domain 
access-list global_access extended permit tcp any any 

access-list global_access extended permit icmp any any 
access-list global_mpc remark Scan Pop3 en sortie

access-list global_mpc extended permit tcp any any eq pop3 
access-list global_mpc_1 extended permit tcp any any eq smtp 

pager lines 40
logging enable

logging asdm informational
logging facility 16

mtu INTERNET 1500
mtu LAN 1500

mtu EKNPC06 1500
icmp unreachable rate-limit 1 burst-size 1

no asdm history enable
arp timeout 14400

access-group global_access global
timeout xlate 3:00:00

timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 

http server enable
http 192.168.16.0 255.255.255.0 LAN

http 192.168.16.0 255.255.255.0 INTERNET
http authentication-certificate INTERNET

no snmp-server location
no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5

ssh 192.168.16.0 255.255.255.0 INTERNET
ssh 192.168.16.0 255.255.255.0 LAN

ssh timeout 5
ssh version 2

console timeout 0
threat-detection basic-threat

threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username sshuser password ************ encrypted privilege 15
!

class-map global-class
 match access-list global_mpc

class-map inspection_default
 match default-inspection-traffic

class-map csc-acl
class-map global-class1

 match access-list global_mpc_1
!

!
policy-map type inspect dns preset_dns_map

 parameters
  message-length maximum client auto

  message-length maximum 512
policy-map global_policy

 class global-class
  csc fail-open

 class global-class1
  csc fail-open

 class inspection_default
  inspect dns preset_dns_map 

  inspect ftp 
  inspect h323 h225 

  inspect h323 ras 
  inspect ip-options 

  inspect netbios 
  inspect rsh 

  inspect rtsp 
  inspect sip  

  inspect skinny  
  inspect sqlnet 

  inspect sunrpc 
  inspect tftp 

  inspect xdmcp 
 class class-default
  user-statistics accounting

!
service-policy global_policy global

prompt hostname context 
no call-home reporting anonymous

hpm topN enable
Cryptochecksum:***********
: end

Any advice would be appreciated.

Regards

Labels:
0 Helpful
4 Replies 4

stojanr
Level 1
Level 1

‎03-09-2013 01:52 PM

You mentioned that you're using the CSC module, which amongst other things, also inspects SMTP traffic. I would suggest verifying the settings there, or temporarly removing the traffic redirection to the module in your policy map to verify if that is the cause of your issues.

Sent from Cisco Technical Support iPad App

0 Helpful

EIKONLOGISTICS
Level 1
Level 1
In response to stojanr

‎03-11-2013 01:08 AM

Ok, i'll give it a try asap.

Thank You !

0 Helpful

EIKONLOGISTICS
Level 1
Level 1
In response to EIKONLOGISTICS

‎03-13-2013 01:35 AM

I've turned off the redirection to the CSC-SSM Module. My outgoing mailing list 's still blocked. Do i miss something (All mails with a few recipients are sent successfully)?

0 Helpful

EIKONLOGISTICS
Level 1
Level 1
In response to EIKONLOGISTICS

‎04-11-2013 05:56 AM

I've switched my config to routed mode, and disabled esmtp inspection, it's working fine now...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card