ASA5505 is blocking outgoing SMTP

","Logging","Time","Description"

ork/24","any","tcp/http","Permit","0","Default","",""> "com.cisco.pdm.gui.newrule.AccessGroupRow@fd4ade","2","True","inside-netw= ork/24","any","tcp/https","Permit","0","Default","",""> "com.cisco.pdm.gui.newrule.AccessGroupRow@fd4ade","3","True","inside-netw= ork/24","any","tcp/123","Permit","0","Default","",""

ork/24","any","tcp/domain","Permit","0","Default","",""

ork/24","any","tcp/ssh","Permit","0","Default","",""

ork/24","any","tcp/telnet","Permit","0","Default","",""

ork/24","any","ping_out","Permit","0","Default","",""

.221","any","tcp/smtp","Permit","0","Default","",""

ork/24","any","udp/domain","Permit","0","Default","",""

","Deny","","Default","","Implicit

work/24","inside-network/24","ping_out","Permit","0","Default","",""

","Deny","","Default","","Implicit

=A0 : =A0CN1000-MC-BOOT-2.00

ode: =A0CNLite-MC-SSLm-PLUS-2.03

e =A0: =A0CNlite-MC-IPSECm-MAIN-2.05

Hello,

In your configuration, Under the policy-map global_policy do you have "inspect esmtp" or "inspect smtp" in your configuration?

Regards

Hello,

these is my config:

policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp !

as you can see, there is an "inspect esmtp". Is this my problem? When yes, how do I disable this inspection, which seems not to work to well in my special case?

Thank you for Your help!

Regards Steffen

Hello,

It is possible that this esmtp inspection is related to this problem. I suggest disabling it and then see if the problem is resolved. Interesting, I was working with a test ASA running 8.0(4) code and tried to remove the inspection while using an SSH management connection to the firewall. I could not figure out how to disable it via the CLI. However, using ASDM I found how to disable it. Go to Configuration>Firewall>Service Policy Rules> Highlight "inspection_default" row, then select edit; Go to "Rule Actions" tab, and you will see ESMTP box checked as it is one of the inspections enabled by default in a beginning configuration. Just uncheck this box to disable it and apply the rule changes.

Regards.

Hello,

thank You for Your idiot-proof explanation how to disable this "feature"! I will try the setting on my ASAs at once.

Regards Steffen

Hi again,

I did the settings from jrguent but they seem not to fix the problem. Perhaps I haven't told all necessary information so I try to tell you everything that could be usefull:

1. The device which tries to send the mails is an industrial pc (ipc) running windows ce 6.0. The ipc is from beckhoff an is called cx1020. The applaication which sends the mails is written in CodeSys(?) with the IDE TwinCat. The ipc has a fix ip-adress (no dhcp). It is able to resolve the mailservers name to its ip-adress.

1. thread-detection in the asa is disabled - but it doesn't resolve the problem.

2. After restart of the box, some mails go through it without problems. Sometime it stops working with the mentioned rows in the logging-window: Disallowing new connections. Because I don't know when this occurres I haven't seen the "beginning" of the problem yet but I don't think that ipc is able to send a lot of mails in short time (like an "dos"-attack). When the "Disallowing new connections." occurres I can switch logging of and then all mails are able to pass the ASA until the problem occurres again. Usually I can enable logging again and disable it again to "fix" it again - temporarily. Because the mails are generated automatically, they look all similar (in the mails are statistics or error messages - but the envelope of the mails should be always correct or always wrong).

I'm no Cisco specialist. We chose the ASA because it was recommended us by the first Cisco Partner. But after we agreed he couldn't implent all features. So we went to the next Cisco Parter (don't remember whether there were all gold or whatever). The quality of his work wasn't acceptable. Keep the story short: now we have the fourth partner (cisco select certified - don't know what it stands for). He is the best of the four but seems not to be able to find the mail-problem :-(. Today we know the most weaknesses of the asa (and for our applikation it has a lot of them e.g. no support for smtp-auth for mailing syslogs, auto-update feature does only http 1.0 - no chance to use virtual hosting .....).

We have invested a lot of time (and money) but today (over 1 year later!) we don't have reached the goal. The mail functionality is essential for the project and because of the long time, the problem couldn't be resolved I don't believe the ASA can do this in our (special?) case.

Hope anyone has a idea for our problem.

Regards Steffen

Are you sure your not running in to a licensing limitation or connections limitation on the firewall? Post the following;

show local-host (just the first couple of lines are OK) show conn (just the first line is fine) show xlate (first line again is fine) show version

You can also try turning off esmtp inspection. If it's using the default settings type:

policy-map global_policy class inspection_default no inspect esmtp

-Brian

Hi Brian,

thank You for Your reply. Here are the Information you asked for. Because I'm not very good in using the console I used Your commands in the "command Line Interface" in ASDM. Hope the results are the same.

Result of the command: "show local-host"

Detected interface 'outside' as the Internet interface. Host limit applies to all other interfaces. Current host count: 0, towards licensed host limit of: 10

Interface outside: 3 active, 9 maximum active, 0 denied Interface inside: 0 active, 3 maximum active, 0 denied Interface _internal_loopback: 0 active, 0 maximum active, 0 denied

Result of the command: "show conn"

4 in use, 14 most used

Result of the command: "show xlate"

0 in use, 2 most used

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.1(5)57

Compiled on Thu 07-Aug-08 20:53 by builders System image file is "disk0:/asa804-k8.bin" Config file at boot was "startup-config"

BVH060492 up 17 hours 59 mins

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision

0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03 IPSec microcode :
CNlite-MC-IPSECm-MAIN-2.05 0: Int: Internal-Data0/0 : address is 0024.1488.0595, irq 11 1: Ext: Ethernet0/0 : address is 0024.1488.058d, irq 255 2: Ext: Ethernet0/1 : address is 0024.1488.058e, irq 255 3: Ext: Ethernet0/2 : address is 0024.1488.058f, irq 255 4: Ext: Ethernet0/3 : address is 0024.1488.0590, irq 255 5: Ext: Ethernet0/4 : address is 0024.1488.0591, irq 255 6: Ext: Ethernet0/5 : address is 0024.1488.0592, irq 255 7: Ext: Ethernet0/6 : address is 0024.1488.0593, irq 255 8: Ext: Ethernet0/7 : address is 0024.1488.0594, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 10: Int: Not used : irq 255 11: Int: Not used : irq 255

Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 10 Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled UC Proxy Sessions : 2

This platform has a Base license.

Serial Number: JMX1251Z1MJ Running Activation Key: 0x4024dc58 0xb42aedc2 0xb4819dc4 0x8480cc00

0x853539ab Configuration register is 0x1 Configuration last modified by admin at 18:28:29.598 CEDT Wed Sep 16 2009

Is this the same procedure as described from jrguent in his post from

05.08.2009 17:19?

One point: we will update to the latest ASA-Version in the next few days.

Regards Steffen

=A0 : =A0CN1000-MC-BOOT-2.00

ode: =A0CNLite-MC-SSLm-PLUS-2.03

e =A0: =A0CNlite-MC-IPSECm-MAIN-2.05

I think Brian is on the right track with the licensing..

when you ran "show local-host" was the outbound smtp traffic being blocked?

You have a "base license" which only allows 10 connections. I am thinking you need to upgrade your licensing

de =A0 : =A0CN1000-MC-BOOT-2.00

ocode: =A0CNLite-MC-SSLm-PLUS-2.03

ode =A0: =A0CNlite-MC-IPSECm-MAIN-2.05

I dont want to assume anything here so I will ask if any of the below pertains to your config?

Explanation: This message appears when you have enabled TCP system log messaging and the syslog server cannot be reached, or when using security appliance Syslog Server (PFSS) and the disk on the Windows NT system is full, or when the auto-update timeout is configured and the auto-update server is not reachable. Recommended Action: Disable TCP system log messaging. If using PFSS, free up space on the Windows NT system where PFSS resides. Also, make sure that the syslog host is up and you can ping the host from the security appliance console. Then restart TCP system message logging to allow traffic. If the Auto Update Server has not been contacted for a certain period of time, the following command will cause it to cease sending packets: [no] auto- update timeout period.

de =A0 : =A0CN1000-MC-BOOT-2.00

ocode: =A0CNLite-MC-SSLm-PLUS-2.03

ode =A0: =A0CNlite-MC-IPSECm-MAIN-2.05

Are you using tcp syslogging? if so why? that is alot of overhead to carry.

Here is some more info on using tcp syslogging.

code =A0 : =A0CN1000-MC-BOOT-2.00

crocode: =A0CNLite-MC-SSLm-PLUS-2.03

ocode =A0: =A0CNlite-MC-IPSECm-MAIN-2.05

look for these errors

%PIX-3-201008 The PIX is disallowing new connections.

%PIX-3-201009 TCP connection limit of number for host IP_address on interface_name exceeded.

if you see them then you having a licensing issue. if not post up your entire config. make sure you remove your ip and username info before posting

Hi Techno_Guy,

Thank you for your hints. I'will check them. I have exactly the first error code 201008 from your post (as already described in my initial post).