Link to home
Start Free TrialLog in
Avatar of uglyb0b
uglyb0bFlag for United States of America

asked on

Can't turn off ESMTP inspection on ASA 5510

Hardware:
ASA 5510 8.2(1) w/Sec+ license (two devices running in failover config)

Problem:
Inbound SMTP connections from the outside are seeing a masked banner. The connection shows "220 ********************" from the outside but "220 mail.ourcompany.com ESMTP ready" on the inside. I am assuming that TLS commands are also being jacked but haven't tried them them.

I have verifed that "inspect esmtp" isn't part of our global policy. I have added "inspect esmtp" along with "no banner mask" parameter with no results. I have also completely removed the global policy from the outside interface with no luck. I have made these changes and reloaded (verifying the config took to failover unit) but sitll no luck.

For the life of me I cannot figure out why my SMTP banners are being masked. (I brought up another smtp server and tested from outside with same results.)

Here is current config:
class-map public_police_in
 match access-list outside_mpc
class-map p2p_im_block
 match any    
class-map inspection_default
 match default-inspection-traffic
class-map type regex match-any p2p
 match regex _default_x-kazaa-network
 match regex _default_gator
 match regex _default_icy-metadata
 match regex _default_gnu-http-tunnel_uri
 match regex _default_gnu-http-tunnel_arg
 match regex _default_shoutcast-tunneling-protocol
class-map public_police_out
 match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect pptp
  inspect dns preset_dns_map
policy-map outside-policy
 class public_police_in
  police input 1600000 1500
policy-map type inspect im p2p_im
 parameters
 match login-name regex class p2p
  drop-connection log
 match protocol msn-im yahoo-im
  drop-connection log
policy-map inside-policy
 class public_police_out
  police input 500000 1500
 class p2p_im_block
  inspect im p2p_im
!
service-policy global_policy global
service-policy inside-policy interface inside
service-policy outside-policy interface outside

Any ideas?
Avatar of MikeKane
MikeKane
Flag of United States of America image

Doesn't look like mail fixup is on for inspection.... but just to be sure, check these:


If you have access to ASDM GUI then:
Configuration --> Service Policy Rules -->  General/Global Policy --> Edit ---> Rule Actions --> Uncheck ESMTP
Click OK --> Apply --> Save

Or for the command line:
enable
(enter the enable password)
config t
no fixup protocol smtp 25
exit
write mem


Avatar of uglyb0b

ASKER

Hi MikeKane-

ESMTP was already unchecked in the ASDM. Just for giggles I went ahead and issued the no fixup... Still masked.
ASKER CERTIFIED SOLUTION
Avatar of MikeKane
MikeKane
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of uglyb0b

ASKER

that seems to have done it. not sure why, but thats IT for you. thanks!
You guys are awesome! I have been trying to solve a problem for the past week where I couldn't send bulk emails to gmail accounts and unchecking the ESMTP inspect on our Cisco ASA fixed it immediatly.  Thanks!