Question

Cisco ASA 5520 blocks SMTP when using TLS

Asked by: Nikolaj77

Hi,

We have a Cisco ASA 5520 in our setup and in the dmz we have a postfix server, where we have applied a certificate and configured postfix to use that certificate.

When connecting from outlook 2007 using TLS from the inside and to the postfix server in the dmz it works, but when connecting from the outside to the postfix server it does not work.

When going from outside to the postfix traffic is passing through the asa 5520, but when going from the inside to the postfix server traffic is passing through a PIX501.

The ASA is running:
Cisco Adaptive Security Appliance Software Version 7.0(7)
Device Manager Version 5.0(7)

This is our inspection policy:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect rsh
  inspect sqlnet
  inspect xdmcp
  inspect netbios
  inspect tftp
policy-map policy_global
policy-map type
!
service-policy global_policy global
smtp-server <ip1> <ip2>
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


We have also allowed traffic on port 25 and that works for non TLS traffic.


We really need TLS to be allowed through the ASA.

Can somebody help with an answer?

Thanks.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-06-12 at 00:30:05ID24485853
Tags

TLS

,

SMTP

,

postfix

,

cisco asa 5520

Topics

Email Protocols

,

Cisco PIX Firewall

,

Postfix

Participating Experts
2
Points
500
Comments
23

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco ASA 5505  SMTP Problems
    Hello, I recently configured a Cisco ASA 5505 for one of my clients. Everything works on the network EXCEPT inbound Email, even though I believe I have SMTP properly forwarded to the Exchange server. Some Emails are coming in at a trickle while others are not coming in at a...
  2. ASA 5505 Configuration
    I recently purchased a Cisco ASA 5505 (Version 7.2(2)) to replace our current Xserve firewall solution. I need some help to configure this thing. I need 2 vlan's, one for outside, one for inside. 209.2.2.11-26 is my ip block and here is the current setup: Internal ip bloc...
  3. Configuration on ASA
    I'm studying the configuration of my ASA box. Can anyone help me to understand the configuration below (marked with '*') Is there any setup / scenario with explaination about how to setup a site to site VPN and remote client vpn using ASA ?? Many thanks. object-group servi...
  4. ASA 5505
    Dear All, I have a ADSL modem (Aztech PPPoA) connected to ASA outside port and the inside is connected to my LAN. Internet is working fine no probs at all. I have a exchange which is connected to my Head office over the ISDN through Cisco router 800 series so it doesnt have a...
  5. ASA 5505 steps on my SBS 2008 SSL certificate
    Hello experts, Hey, I just put in a new ASA 5505 to replace my PIX 501. I noticed now that when I go to my public web site for the Remote Web Workplace, the browser is being told that the certificate is whacked. It seemed like the PIX 501 just passed the https request right...
  6. ASA 5505
    Hello, I have a cisco 5505. I have a Dynamic internet connection to comcast. Is it possible to do port forwarding with the cisco asa 5505 ? i.e send smtp/rdp/ftp to different internal IP's ? May I have a couple of examples as to how I can get this going?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: cat6509Posted on 2009-06-12 at 04:38:51ID: 24611115

you have already removed the insect esmtp form teh asa, but how about the pix?

 If it is running older PIX code the command is

no fixup protocol smtp

 

by: Nikolaj77Posted on 2009-06-12 at 05:05:18ID: 24611261

Hi Cat6509,

Thanks for your reply.

The problem is not with the PIX, but with the ASA.

Everything is ok through the PIX.

 

by: 3nerdsPosted on 2009-06-12 at 08:59:05ID: 24613517

Nikolaj77,

Has this ever worked?

Are you using a PAT translation or a NAT 1 to 1?

If PAT are you using the outside interface or an additional IP?

Regards,

3nerds

 

by: Nikolaj77Posted on 2009-06-12 at 10:00:35ID: 24614065

The normal SMTP part has worked, and I have just configured TLS og the postfix server and want to grant access to TLS from the outside.

I have tried both with and without inspection of esmtp. Both does not work.

This is my config:

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name xyz.xx
enable password xxxxxxx encrypted
passwd xxxxxxxx encrypted
names
name <IP1> pollux description Postfix mail server
name <IP2> castor description webserver
name <IP3> pix description PIX for internal network
name <IP4> C3560G description C3560G
name <IP5> xxx description xxx
name <IP6> ExchangeServer
name <IP7> BBInside
name <IP8> aldebaran
name <IP9> arcturus
name <IP10> xxxxyyy description xxxyyy
name <IP11> rb
name <IP12> vega
name <IP13> webmail
name <IP14> KB15 description KB15
name <IP15> orion
name <IP16> Hoelstad
name <IP17> Jonas
name <IP18> Jonaskontor
name <IP19> JonasHjemme
name <IP20> JonasExchange
dns-guard
!
interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif internet
 security-level 0
 ip address xxx xxx
!
interface GigabitEthernet0/1
 nameif inside
 security-level 50
 ip address xxx xxx
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup internet
dns server-group DefaultDNS
 name-server yyy
 name-server yyy2
 domain-name xxxx.xxx
object-group network FTPUsers
 description Group for FTP Users
 network-object KB15 255.255.255.255
 network-object xxxx 255.255.255.255
 network-object Hoelstad 255.255.255.255
object-group service webservices tcp
 port-object eq www
 port-object eq https
object-group service FTPServer tcp
 port-object eq ftp-data
 port-object eq ftp
object-group service VPNports4500 udp
 port-object range 4500 4500
 port-object range isakmp isakmp
object-group service BB tcp
 port-object range 1984 1984
object-group network BBUsers
 network-object KB15 255.255.255.255
 network-object xxxxx 255.255.255.255
object-group network DMZSSHHosts
 description Group for SSH Hosts
 network-object aldebaran 255.255.255.255
 network-object arcturus 255.255.255.255
 network-object vega 255.255.255.255
 network-object orion 255.255.255.255
object-group network DMZSSHHosts_ref
 network-object aldebaran 255.255.255.255
 network-object arcturus 255.255.255.255
 network-object vega 255.255.255.255
 network-object orion 255.255.255.255
object-group service mailservices tcp
 port-object eq pop3
 port-object eq smtp
object-group network POP3users
 network-object KB15 255.255.255.255
 network-object Jonas 255.255.255.255
 network-object Jonaskontor 255.255.255.255
 network-object JonasExchange 255.255.255.255
 network-object JonasHjemme 255.255.255.255
object-group service SMTPSSL tcp-udp
 port-object eq 465
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp eq 465
 service-object tcp eq https
access-list internet_access_in extended permit tcp any host webmail object-group webservices
access-list internet_access_in remark Rule for web traffic
access-list internet_access_in extended permit tcp any host castor object-group webservices
access-list internet_access_in remark Rule for web traffic
access-list internet_access_in extended permit tcp any host aldebaran object-group webservices
access-list internet_access_in remark Rule for Mailserver
access-list internet_access_in extended permit tcp any host pollux eq smtp
access-list internet_access_in extended permit object-group DM_INLINE_SERVICE_1 any host pollux
access-list internet_access_in remark Rule for SSH on port 1863
access-list internet_access_in extended permit tcp any host pollux eq 1863
access-list internet_access_in remark Rule for Remote Backup
access-list internet_access_in extended permit tcp any host xxxxx eq https
access-list internet_access_in remark FTP Rule
access-list internet_access_in extended permit tcp object-group FTPUsers host castor object-group FTPServer
access-list internet_access_in remark FTP Rule
access-list internet_access_in extended permit tcp object-group FTPUsers host aldebaran object-group FTPServer
access-list internet_access_in extended permit ip host KB15 host pix inactive
access-list internet_access_in extended permit tcp host KB15 host castor eq ssh
access-list internet_access_in extended permit tcp object-group POP3users host pollux object-group mailservices
access-list internet_access_in extended permit tcp host KB15 object-group DMZSSHHosts_ref eq ssh
access-list internet_access_in extended permit tcp host KB15 host arcturus eq ssh inactive
access-list internet_access_in extended permit tcp host KB15 host arcturus eq 5900 inactive
access-list internet_access_in remark BB Rule
access-list internet_access_in extended permit tcp object-group BBUsers host castor eq 1984
access-list internet_access_in extended permit udp any host pix object-group VPNports4500
access-list internet_access_in extended permit tcp host KB15 host pix eq https inactive
access-list internet_access_in remark VPN ESP protocol
access-list internet_access_in extended permit esp any host pix
access-list internet_access_in extended permit tcp host KB15 host ExchangeServer eq smtp
access-list internet_access_in extended permit tcp any host ExchangeServer eq https inactive
access-list internet_access_in extended permit tcp host KB15 host BBInside object-group webservices
access-list internet_access_in extended permit gre host KB15 host webmail inactive
access-list internet_access_in extended permit tcp host KB15 host webmail eq pptp inactive
access-list internet_access_in extended permit udp host KB15 host webmail object-group VPNports4500
access-list internet_access_in remark Denial
access-list internet_access_in extended deny ip any any
access-list inside_nat0_outbound remark PIX Exemption Rule
access-list inside_nat0_outbound extended permit ip host pix host KB15
pager lines 24
logging enable
logging asdm informational
logging from-address mailaddesss@mail.xxx
logging recipient-address mailaddr@mail.xxx level errorsa
mtu internet 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface internet
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,internet) castor castor netmask 255.255.255.255
static (inside,internet) aldebaran aldebaran netmask 255.255.255.255
static (inside,internet) arcturus arcturus netmask 255.255.255.255
static (inside,internet) pollux pollux netmask 255.255.255.255
static (inside,internet) xxxx xxxx netmask 255.255.255.255
static (inside,internet) orion orion netmask 255.255.255.255
static (inside,internet) pix pix netmask 255.255.255.255
static (inside,internet) C3560G C3560G netmask 255.255.255.255
static (inside,internet) ExchangeServer ExchangeServer netmask 255.255.255.255
static (inside,internet) BBInside BBInside netmask 255.255.255.255
static (inside,internet) vega vega netmask 255.255.255.255
static (inside,internet) webmail webmail netmask 255.255.255.255
access-group internet_access_in in interface internet
route internet 0.0.0.0 0.0.0.0 <gwIP>
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http xxxxxx 255.255.255.255 inside
http pix 255.255.255.255 inside
http KB15 255.255.255.255 internet
snmp-server host inside castor community xzxzxzx
snmp-server location klkl
snmp-server contact XYZ
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet pix 255.255.255.255 inside
telnet timeout 5
ssh KB15 255.255.255.255 internet
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username 123 password uiouiuiiu encrypted
username 456 password lkjkjkj encrypted privilege 15
!
class-map test
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map type inspect esmtp tls
 parameters
  no mask-banner
  allow-tls action log
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect rsh
  inspect sqlnet
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect dns migrated_dns_map_1
  inspect esmtp tls
policy-map policy_global
!
service-policy global_policy global
smtp-server pollux castor
prompt hostname context
Cryptochecksum:4545544545
: end
asdm image disk0:/asdm-613.bin
asdm location castor 255.255.255.255 inside
asdm location pollux 255.255.255.255 inside
asdm location orion 255.255.255.255 inside
asdm location pix 255.255.255.255 inside
asdm location C3560G 255.255.255.255 inside
asdm location xxxxxxx 255.255.255.255 internet
asdm location zxxxxxx 255.255.255.255 internet
asdm location webmail 255.255.255.255 inside
asdm location KB15 255.255.255.255 internet
asdm group FTPUsers internet
asdm group BBUsers internet
asdm group DMZSSHHosts inside
asdm group DMZSSHHosts_ref internet reference DMZSSHHosts
asdm group POP3users internet
no asdm history enable

 

by: 3nerdsPosted on 2009-06-12 at 10:04:19ID: 24614094

Where is your DMZ connected? I see no config for a DMZ in this ASA config. Please expalin how things are connected.

I was assuming

Inet --> ASA --> Inside
                |-->DMZ

Where does the DMZ link to your internal network?

Regards,

3nerds

 

by: Nikolaj77Posted on 2009-06-12 at 12:29:29ID: 24615315

Hi,

This is how it is connected:

internet --> ASA --> dmz switch (Postfix is here)
                                          |
                                          |--> PIX --> inside


Postfix server is located in dmz. (name: pollux in above config).

As mentioned a host on inside can use TLS on postfix server but a host on the internet cannot.

Thanks for your help.

 

by: 3nerdsPosted on 2009-06-12 at 12:54:07ID: 24615534

Thanks for the clarification!

Are you using Real Public IP addresses on the inside?


The reason I ask is I see your nat statments

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0

But no Global statement to go with.

I then see:
static (inside,internet) pollux pollux netmask 255.255.255.255 --> which appears to mean you are doing a static from the same IP outside as inside.

The above I ask as clarification to the setup. But what I think you want to do is this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

"Note: If you use Transport Layer Security (TLS) encryption for e-mail communication then the ESMTP inspection feature (enabled by default) in the PIX drops the packets. In order to allow the e-mails with TLS enabled, disable the ESMTP inspection feature as this output shows."

Basically is says to remove esmtp

Regards,

3nerds




 

by: Nikolaj77Posted on 2009-06-12 at 12:59:20ID: 24615564

Hi,

Yes we are using real public IP addresses in the DMZ and 192.168.x.x in the inside.

I tried to remove esmtp, but without luck.

I also tried to do a "clear conn" after removing the esmtp inspection, result: Still not possible to use TLS from outside.

 

by: Nikolaj77Posted on 2009-06-12 at 13:03:25ID: 24615599

Maybe it is with the smtp inspection (and not esmtp) that the error lies?

Is it possible to disable smtp inspection?

 

by: 3nerdsPosted on 2009-06-12 at 13:11:03ID: 24615660

Your using this:

class-map inspection_default
 match default-inspection-traffic

which means your using these:
 default-inspection-traffic  Match default inspection traffic:
                              ctiqbe----tcp--2748      dns-------udp--53      
                              ftp-------tcp--21        gtp-------udp--2123,3386
                              h323-h225-tcp--1720      h323-ras--udp--1718-1719
                              http------tcp--80        icmp------icmp          
                              ils-------tcp--389       mgcp------udp--2427,2727
                              netbios---udp--137-138   radius-acct---udp--1646
                              rpc-------udp--111       rsh-------tcp--514      
                              rtsp------tcp--554       sip-------tcp--5060    
                              sip-------udp--5060      skinny----tcp--2000    
                              smtp------tcp--25        sqlnet----tcp--1521    
                              tftp------udp--69        waas------tcp--1-65535  
                              xdmcp-----udp--177      


You would have to stop using the default temporarlly and test it.

class-map inspection_default
 no match default-inspection-traffic

and then if it works build your own.

Regards,

3nerds

 

by: 3nerdsPosted on 2009-06-12 at 13:13:56ID: 24615689

I have to honest you config has me scratching my head a bit.

You have nat statements but no global and your statically translating the same address outside to the inside. That just seems odd to me, can't say I have seen anything like that other than in a transparent config and even that was alot different.

I am wondering if you are running into a bug with you translations, but try the smtp part and let me know.

Regards,

3nerds

 

by: Nikolaj77Posted on 2009-06-12 at 13:13:59ID: 24615691

BTW in the postfix log, this is what I get when connecting from the Internet:

Jun 12 22:12:51 pollux postfix/smtpd[93330]: initializing the server-side TLS engine
Jun 12 22:12:51 pollux postfix/smtpd[93330]: connect from xxxxxxx
Jun 12 22:12:51 pollux postfix/smtpd[93330]: lost connection after EHLO from xxxxxxx
Jun 12 22:12:51 pollux postfix/smtpd[93330]: disconnect from xxxxxxx


When doing the same thing from inside I get this in the postfix log:


Jun 12 22:15:13 pollux postfix/smtpd[93330]: connect from yyyyyyy
Jun 12 22:15:13 pollux postfix/smtpd[93330]: setting up TLS connection from yyyyyyy
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:before/accept initialization
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:error in SSLv2/v3 read client hello A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:error in SSLv2/v3 read client hello B
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 read client hello A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 write server hello A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 write certificate A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 write server done A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 flush data
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:error in SSLv3 read client certificate A
Jun 12 22:15:13 pollux last message repeated 2 times
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 read client key exchange A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:error in SSLv3 read certificate verify A
Jun 12 22:15:13 pollux last message repeated 3 times
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 read finished A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 write change cipher spec A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 write finished A
Jun 12 22:15:13 pollux postfix/smtpd[93330]: SSL_accept:SSLv3 flush data
Jun 12 22:15:13 pollux postfix/smtpd[93330]: TLS connection established from yyyyyyy: TLSv1 with cipher RC4-MD5 (128/128 bits)
Jun 12 22:15:13 pollux postfix/smtpd[93330]: 50E3213C421: client=yyyyyyy, sasl_method=LOGIN, sasl_username=zzzzzzzz
Jun 12 22:15:13 pollux postfix/cleanup[93337]: 50E3213C421: message-id=<20090612201513.50E3213C421@pollux.xx.xx>
Jun 12 22:15:13 pollux postfix/qmgr[93319]: 50E3213C421: from=<zzzzzzzzz>, size=785, nrcpt=1 (queue active)
Jun 12 22:15:13 pollux postfix/smtpd[93330]: disconnect from yyyyyyyy
Jun 12 22:15:13 pollux postfix/virtual[93343]: 50E3213C421: to=<zzzzzzzz>, relay=virtual, delay=0, status=sent (delivered to maildir)
Jun 12 22:15:13 pollux postfix/qmgr[93319]: 50E3213C421: removed


 

by: 3nerdsPosted on 2009-06-12 at 13:15:13ID: 24615699

you have the same ports and protocols open in the asa as you do in the pix? Also I bet you are doing true NAT in your pix.

3nerds

 

by: Nikolaj77Posted on 2009-06-12 at 13:19:04ID: 24615728

The firewall is setup to "Enable traffic through the firewall without address translation"...

That should explain the statically translation.

 

by: Nikolaj77Posted on 2009-06-12 at 13:19:49ID: 24615737

Yes I do NAT in the PIX.

 

by: Nikolaj77Posted on 2009-06-12 at 13:25:32ID: 24615798

THis is what I get in outlook


Task 'yyyyyy - Sending' reported error (0x800CCC7D) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.'

I am just wondering if it could be my locally cisco router that somehow blocks for TLS to the ASA in the datacenter?

The ASA is located within a datacenter and I am sitting at a remote office to the datacenter.

I will just login to the cisco 1811 router and take a look.

 

by: 3nerdsPosted on 2009-06-12 at 13:30:49ID: 24615844

Thanks for clarifying the no nat-control thing I didn't see it in your config and well when you do that command it actually removes it from the config =)

Just out of curiosity why not just run all of this off the asa and simplify it? It wouldn't be bad to do and would most likely solve your problem.

Just curious.

Regards,

3nerds

 

by: 3nerdsPosted on 2009-06-12 at 13:41:19ID: 24615942

I am doing some testing on a pix I have with 8.04 loaded and when i attempt what you are doing I get errors.

Specifically: ERROR: Failed to apply IP address to interface Ethernet1, as the network overlaps with interface Ethernet0. Two interfaces cannot be in the same subnet

So are your inside and outside on different subnets? This would seem odd seeing that your nat'ing the same address inside as outside.

3nerds

 

by: Nikolaj77Posted on 2009-06-12 at 13:46:01ID: 24615997

Yes,

GigagitEthernet0/0, the internet is on one subnet and Gigabitethernet0/1, inside (dmz) is on another subnet

 

by: Nikolaj77Posted on 2009-06-12 at 14:01:44ID: 24616144

Hi 3nerds,

You won't believe it. But the error was not in the ASA it was in my Cisco 1811 which is in my office an through which I connect to the internet from the office.

The C1811 also had an inspection policy enabled for esmtp, and it was that policy that stripped out the TLS from the smtp traffic.

when I disablet the esmtp in my C1811 it worked.

Thank you VERY MUCH. :-) :-)

It is very good to have somebody like you to try out different things.

I will give you all the points for your assistance.

 

by: 3nerdsPosted on 2009-06-12 at 14:03:57ID: 24616157

Glad it worked

You had given me something to play with here in the lab.

Regards,

3nerds

 

by: Nikolaj77Posted on 2009-06-12 at 14:07:25ID: 24616173

Thanks again. :-)

Very best regards,

Nikolaj

 

by: Nikolaj77Posted on 2009-06-12 at 14:08:21ID: 31591664

3nerds was very helpful all along the way to resolution of this problem. Thanks 3nerds.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...