uglyb0b
asked on
Can't turn off ESMTP inspection on ASA 5510
Hardware:
ASA 5510 8.2(1) w/Sec+ license (two devices running in failover config)
Problem:
Inbound SMTP connections from the outside are seeing a masked banner. The connection shows "220 ********************" from the outside but "220 mail.ourcompany.com ESMTP ready" on the inside. I am assuming that TLS commands are also being jacked but haven't tried them them.
I have verifed that "inspect esmtp" isn't part of our global policy. I have added "inspect esmtp" along with "no banner mask" parameter with no results. I have also completely removed the global policy from the outside interface with no luck. I have made these changes and reloaded (verifying the config took to failover unit) but sitll no luck.
For the life of me I cannot figure out why my SMTP banners are being masked. (I brought up another smtp server and tested from outside with same results.)
Here is current config:
class-map public_police_in
match access-list outside_mpc
class-map p2p_im_block
match any
class-map inspection_default
match default-inspection-traffic
class-map type regex match-any p2p
match regex _default_x-kazaa-network
match regex _default_gator
match regex _default_icy-metadata
match regex _default_gnu-http-tunnel_u ri
match regex _default_gnu-http-tunnel_a rg
match regex _default_shoutcast-tunneli ng-protoco l
class-map public_police_out
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect dns preset_dns_map
policy-map outside-policy
class public_police_in
police input 1600000 1500
policy-map type inspect im p2p_im
parameters
match login-name regex class p2p
drop-connection log
match protocol msn-im yahoo-im
drop-connection log
policy-map inside-policy
class public_police_out
police input 500000 1500
class p2p_im_block
inspect im p2p_im
!
service-policy global_policy global
service-policy inside-policy interface inside
service-policy outside-policy interface outside
Any ideas?
ASA 5510 8.2(1) w/Sec+ license (two devices running in failover config)
Problem:
Inbound SMTP connections from the outside are seeing a masked banner. The connection shows "220 ********************" from the outside but "220 mail.ourcompany.com ESMTP ready" on the inside. I am assuming that TLS commands are also being jacked but haven't tried them them.
I have verifed that "inspect esmtp" isn't part of our global policy. I have added "inspect esmtp" along with "no banner mask" parameter with no results. I have also completely removed the global policy from the outside interface with no luck. I have made these changes and reloaded (verifying the config took to failover unit) but sitll no luck.
For the life of me I cannot figure out why my SMTP banners are being masked. (I brought up another smtp server and tested from outside with same results.)
Here is current config:
class-map public_police_in
match access-list outside_mpc
class-map p2p_im_block
match any
class-map inspection_default
match default-inspection-traffic
class-map type regex match-any p2p
match regex _default_x-kazaa-network
match regex _default_gator
match regex _default_icy-metadata
match regex _default_gnu-http-tunnel_u
match regex _default_gnu-http-tunnel_a
match regex _default_shoutcast-tunneli
class-map public_police_out
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect dns preset_dns_map
policy-map outside-policy
class public_police_in
police input 1600000 1500
policy-map type inspect im p2p_im
parameters
match login-name regex class p2p
drop-connection log
match protocol msn-im yahoo-im
drop-connection log
policy-map inside-policy
class public_police_out
police input 500000 1500
class p2p_im_block
inspect im p2p_im
!
service-policy global_policy global
service-policy inside-policy interface inside
service-policy outside-policy interface outside
Any ideas?
ASKER
Hi MikeKane-
ESMTP was already unchecked in the ASDM. Just for giggles I went ahead and issued the no fixup... Still masked.
ESMTP was already unchecked in the ASDM. Just for giggles I went ahead and issued the no fixup... Still masked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that seems to have done it. not sure why, but thats IT for you. thanks!
You guys are awesome! I have been trying to solve a problem for the past week where I couldn't send bulk emails to gmail accounts and unchecking the ESMTP inspect on our Cisco ASA fixed it immediatly. Thanks!
If you have access to ASDM GUI then:
Configuration --> Service Policy Rules --> General/Global Policy --> Edit ---> Rule Actions --> Uncheck ESMTP
Click OK --> Apply --> Save
Or for the command line:
enable
(enter the enable password)
config t
no fixup protocol smtp 25
exit
write mem