E-Mail Woes to Mailsweeper on PIX DMZ

I have a ASA (PIX 7.X) with a Mailsweeper on my DMZ port.

I have a public IP for the above, statically translated (DMZ,Outside) public IP, real IP mask etc.

My access-list permits SMTP in from the Internet to the public IP and I am seeing lots of hits.

When I look at the logging on ASDM I notice a lot of FIN packets. The session connects and then 2 x seconds later (or less) tears down. The number of bytes transferred = 0 each time. So far I have not received any e-mail but it seems their are lots of attempts.

I hadn't enabled DNS requests from this server via my DMZ inbound access-list which I have rectified but still nothing. My immediate thought was reverse DNS - i.e. the Mailsweeper was trying to validate the request coming in to it but I am not sure if I am clutching at straws.

The domain name is managed by a 3rd party company, not the ISP where the server is located. I am thinking that I need to inform the ISP to add a reverse lookup to their DNS to make this all work.

I cannot think what else this could be and will Google for more answers. For now would anyone have a idea.

I have ESMTP fixup on, which I turned off, then back on again. Stuck at the moment scratching my head.

Any help would be appreciated.

Regards

Darren

Reply to
Darren Green
Loading thread data ...

when you do a "show service-policy" are you seeing drops?

Reply to
Brian V

Brian,

Appreciate the response.

Please see output below:

Errors I receive constantly:

6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection 6193 for outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP FINs

6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/3588) to DMZ:172.28.1.6/25 (X.X.X.X/25)

access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp (hitcnt=4410)

Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0 Inspect: ftp, packet 240, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: skinny, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: xdmcp, packet 0, drop 0, reset-drop 0 Inspect: sip, packet 0, drop 0, reset-drop 0 Inspect: netbios, packet 8, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: pptp, packet 0, drop 0, reset-drop 0 Inspect: icmp, packet 126, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop 0

I have the enclosed line on my DMZ port also (NB This is 1 of several access-list entries for the DMZ):

access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq domain (hitcnt=225) 0xf52b94ca

This is the private address of the MailSweeper that I thought I would need to allow DNS for out onto the Internet with the satatic IP:

static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255

Regards

Darren

Reply to
Darren Green

Also done a packet capture with Ethereal, the packet sequence goes:

Sending Mail Server - Syn MailSweeper- Syn Ack Sending Mail Server - Ack Mailsweeper - Fin, Ack Sending Mail Server - Fin, Ack Mailsweeper - Ack

The round and round again - All within a 1 second window - no tbytes transferred. From the above it looks as if the teardown is at my end.

Regards

Darren

Reply to
Darren Green

Can you post your full config? I'll take a look. While I do not believe it's your inspects, the esmtp using a map is rather strange, typically it is only DNS and h323 that use a map.

-Brian

Reply to
Brian V

Brian,

Thanks again. Config enclosed.

I have pulled out some bits relating to various VPN's. I also pulled out a couple of additional DMZ statics which had Global mappings - .29 & .30 are my 2 x servers with .30, the Mailsweeper giving me the pain. The other bit removed was a nonat_dmz access-list for a couple of other hosts that work fine.

ASA Version 7.2(1) ! hostname ASA domain-name XYZ enable password XXXXXXXXXXencrypted names dns-guard ! interface Ethernet0/0 description Interface to Outside speed 100 duplex full nameif outside security-level 0 ip address X.X.X.X.4 255.255.255.224 standby X.X.X.5 ! interface Ethernet0/1 description Interface To Private Network speed 100 duplex full nameif inside security-level 100 ip address 172.29.1.6 255.255.255.0 standby 172.29.1.7 ! interface Ethernet0/2 description DMZ Port speed 100 duplex full nameif DMZ security-level 50 ip address 172.28.1.1 255.255.255.0 standby 172.28.1.2 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 description LAN Failover Interface ! passwd XXXXXXXXXXXX encrypted ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS domain-name XXXXXXXXX access-list outside extended permit tcp any host X.X.X.29 eq ftp access-list outside extended permit tcp any host X.X.X.30 eq smtp access-list outside extended permit tcp any host X.X.X.29 eq www access-list dmz_access extended permit icmp host 172.28.1.3 any echo access-list dmz_access extended permit icmp host 172.28.1.4 any echo access-list dmz_access extended permit tcp host 172.28.1.6 host 10.0.0.9 eq smtp access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2 access-list dmz_access extended permit udp host 172.28.1.6 any eq domain ( I deed this yesterday) access-list dmz_access extended permit tcp host 172.28.1.6 any eq smtp (I believe I need this so that the MailSweeper can intiate a SMTP conn the Internet) pager lines 24 logging enable logging buffered debugging logging asdm informational mtu outside 1500 mtu inside 1500 mtu DMZ 1500 failover failover lan unit secondary failover lan interface LAN_Failover Management0/0 failover key ***** failover replication http failover interface ip LAN_Failover 172.29.2.1 255.255.255.252 standby

172.29.2.2 asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 global (outside) 1 interface global (DMZ) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 nat (DMZ) 0 access-list nonat_dmz static (inside,outside) X.X.X.X.6 172.29.1.2 netmask 255.255.255.255 static (inside,outside) X.X.X.X.7 172.29.1.3 netmask 255.255.255.255 static (DMZ,outside) X.X.X.X.29 172.28.1.5 netmask 255.255.255.255 static (DMZ,outside) X.X.X.30 172.28.1.6 netmask 255.255.255.255 static (inside,DMZ) 10.0.0.2 10.0.0.2 netmask 255.255.255.255 static (inside,DMZ) 10.0.0.9 10.0.0.9 netmask 255.255.255.255 access-group outside in interface outside access-group dmz_access in interface DMZ route outside 0.0.0.0 0.0.0.0 X.X.X.X 1 route inside 10.0.0.0 255.0.0.0 172.29.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute no snmp-server enable crypto ipsec transform-set set2 esp-3des esp-md5-hmac crypto ipsec transform-set set1 esp-3des esp-sha-hmac crypto dynamic-map dynamap 20 set transform-set set1 crypto dynamic-map dynamap 40 set transform-set set1 crypto map vpn-traffic 20 match address XXXXXXXXX crypto map vpn-traffic 20 set peer blah crypto map vpn-traffic 20 set transform-set set1 crypto map vpn-traffic 30 match address XXXXXXXX crypto map vpn-traffic 30 set peer blah crypto map vpn-traffic 30 set transform-set set1 crypto map vpn-traffic 50 ipsec-isakmp dynamic dynamap crypto map vpn-traffic interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp nat-traversal 30 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp inspect icmp inspect esmtp ! service-policy global_policy global ntp server XXXXXX source XXXXXXX prompt hostname context
Reply to
Darren Green

Few things to try...

1, Change your DNS inspect to use a 1500byte packet. policy-map type inspect dns preset_dns_map parameters message-length maximum 1500

2, I'm sure you just put this in for troubleshooting, but I don't like seeing it there. It's a big security issue. access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2 Do: no access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2 access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2 log

Once you have verified what ports it uses, tighten it down to those and remove the permit ip statement.

3, Lets add a couple entires on your DMZ ACL. First we'll add a logging deny to inside subnets to see if anything else is being hit. Then add a permit any to see if it's perhaps a reverse communication back to the real world. The machines on the DMZ now cannot go to the internet due to the missing permit statements...this affects updates and 2 way communication between outside sources. access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log access-list dmz_access extended permit ip any any

-Brian

Reply to
Brian V

Done

Done, good point - I actually made a mistake here & should have know better. Thank you for bringing this to my attention.

Will do

Brian,

Again, thank you for taking all this time to help me with this, really appreciated.

Can I clarify point (3).

I can see the reason to put this access-list entry on here, but would you mind clarifying why the machines on the DMZ will not being able to get out to the Internet ? If I have 1: 1 static translations for .5 & .6 from the DMZ to the outside surely they will be able to hit the Internet won't they ?

Can I also confirm that the above 3 x lines for dmz_access are to go at the end of the access-list ?

The inside network of the PIX is 172.29.1.0/24 and it reaches 10.0.0.0 /8 via 172.29.1.1.

Regards

Darren

Reply to
Darren Green

Hi Darren,

By default higher security interfaces can always talk to lower security interfaces UNTIL an access list is applied to the interface. On the bottom of all access lists is a deny ip any any, you can't see it, you don't add it, it's simply there, it's called an implicit deny. In the case of a DMZ acl you permit the sevices you want to permit to the inside, deny everything else to the inside, deny anything else then permit everything to the real world. With your current DMZ ACL those machines on the DMZ cannot go to the web or even do a public DNS lookups due to the implicit deny. If the Mailsweeper is doing reverse lookups it would fail as it cannot get to the internet.

The statics don't tell it that it can go to the internet, they simply tell it who they are. The ACL is what controls where they can go.

Yes, the entries I gave you should go at the bottom of the DMZ ACL. You need to keep this in mind when adding permited services to the inside from the DMZ, they need to go above the deny any to the inside IP's. This only applies to a DMZ ACL, you would never use this on an outside ACL. On an outside ACL we want the implicit deny there as we only want to allow specific services in from the real world. Always build a DMZ ACL in this order: permited services to the inside deny everything else to the inside deny anything else you want to deny permit everything to the world

You can actually insert lines wherever you like in to an ACL. There is no reason to remove it to add other permits. When you use the command "show access-list" it will show you your ACL and will have line numbers in there. Example: show access-list access-list DMZ line 1 extended permit icmp any any echo-reply (hitcnt=43739) 0x92a1d35a access-list DMZ line 2 extended permit icmp any any time-exceeded (hitcnt=247) 0x83d4ea4f access-list DMZ line 3 extended permit tcp host X.X.X.X host X.X.X.X eq domain (hitcnt=70) 0x499324c7 access-list DMZ line 4 extended permit udp host X.X.X.X host X.X.X.X eq domain (hitcnt=93678) 0x1a2a5165

If I wanted to add a statement between lines 1 and 2 I would add access-list DMZ line 2 extended permit eq

This would insert it above line 2 and below line 1. The new ACL would look like: access-list DMZ line 1 extended permit icmp any any echo-reply (hitcnt=43739) 0x92a1d35a access-list DMZ line 2 extended permit eq access-list DMZ line 3 extended permit icmp any any time-exceeded (hitcnt=247) 0x83d4ea4f access-list DMZ line 4 extended permit tcp host X.X.X.X host X.X.X.X eq domain (hitcnt=70) 0x499324c7 access-list DMZ line 5 extended permit udp host X.X.X.X host X.X.X.X eq domain (hitcnt=93678) 0x1a2a5165

-Brian

Reply to
Brian V

Brian,

Thanks for clearing that up, this all makes sense.

I am going to apply the above and see what the buffer logs tell me later today. I will post a follow up once I have some info.

Regards

Darren

Reply to
Darren Green

Hey Brian,

Ahh, cannot believe what I have just done. I typed out / copied in notepad all the relevant information and then closed it by accident - I was multi-tasking :-(

I will try and summarise what I found

There we no access-list hits to the deny 10.0.0.0/ 8 or 172.29.1.0 /24 (I have now removed the entries prior to Monday working day network from the DMZ 172.28.1.0 /24 There were 3 x hits on the permit IP any any I see UDP requests being generated by 172.28.1.6 to the ISP's DNS Server on the Internet SMTP connections are created and torn down in the same way as before

access-list dmz_access line 6 extended permit tcp host 172.28.1.6 host

10.0.0.9 eq smtp (hitcnt=2) 0x4cd7a431 access-list dmz_access line 7 extended permit udp host 172.28.1.6 any eq domain log informational interval 300 (hitcnt=399) 0xf52b94ca access-list dmz_access line 8 extended permit tcp host 172.28.1.6 any eq smtp (hitcnt=0) 0x6cc7f1ed access-list dmz_access line 10 extended permit ip host 172.28.1.5 host 10.0.0.2 log informational interval 300 (hitcnt=2) 0xbf77a83c access-list dmz_access line 11 extended permit ip any any (hitcnt=2) 0x738fd750

Oct 15 2006 18:17:12: %ASA-7-609001: Built local-host outside:X.X.X.X.18 Oct 15 2006 18:17:12: %ASA-6-302015: Built outbound UDP connection 7352 for outside:X.X.X.X.18/123 (X.X.X.18/123) to NP Identity Ifc:X.X.X.4/123 (X.X.X.4/123) - NTP I believe Oct 15 2006 18:17:15: %ASA-7-609001: Built local-host outside:X.X.X.34 Oct 15 2006 18:17:15: %ASA-7-609001: Built local-host DMZ:172.28.1.6 Oct 15 2006 18:17:15: %ASA-6-302013: Built inbound TCP connection 7353 for outside:X.X.X.34/32552 (X.X.X.34/32552) to DMZ:172.28.1.6/25 (X.X.X.30/25) Oct 15 2006 18:17:15: %ASA-6-302014: Teardown TCP connection 7353 for outside:X.X.X.34/32552 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP FINs Oct 15 2006 18:17:15: %ASA-7-609002: Teardown local-host outside:X.X.X..34 duration 0:00:00 Oct 15 2006 18:17:15: %ASA-7-609002: Teardown local-host DMZ:172.28.1.6 duration 0:00:00

Not knowing much about reverse DNS I assume that what is happening is that the MailSweeper is talking to the ISP's DNS server on the included dmz_access-list entry (399 hits). Is there a way I can prove that this ties in with the inbound SMTP request ? Whilst there isn't a log entry for this above, I note that the few DNS UDP request that there were didn't follow the SMTP connection attempts.

One other thing that is bothering me.

I note from the show version that the licence states Active / Active. I am going to check that this is correct with Cisco - the configuration on the boxes are Primary = Active & Secondary = Failover. The Firewalls connect to the ISP's switch directly (same VLAN) on their outside interfaces.

I read in my ASA book that there could be an instance where traffic on Active / Active scenarios can leave 1 x interface and return on another. This is normally associated with companies that have 2 x separate ISP, I only have 1 x ISP so perhaps this is a longshot.

When I read this I shut the outside interface of the Secondary and it didn't appear to produce anything different. Is there a way to make this Active / Standby without putting in another Activation Key ?

On the debug I did see an instance where the SMTP session was built inbound and torn down quickly by the PIX. The sending host tried to carry on the TCP connection and the PIX generate an error saying no TCP connection slot. Could the PIX be tearing down the session too quickly ?

Regards

Darren

Reply to
Darren Green

Darren,

Hopefully the email address you have in here is legit. I sent you an email there. Let me know.

-Brian

Reply to
Brian V

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.