Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1365
  • Last Modified:

Cisco ASA-5500 and POP3 issue

Cisco ASA-5505 and POP3 issue.

Just the facts:
-At certain times of the day, people cannot receive email from the ISP's POP3 server.
-The connection in Outlook is made, then it hangs as it starts to download email. One can see the number of emails that should be downloading, but it hangs (for example) at 903 B of 101 KB. Not everyone hangs at the same amount of bytes.
-They can send okay any time of the day.
-I can send/receive anytime to other POP3 servers on a different domain.
-I cannot receive from the ISP's POP3 server between ~7:45 AM to ~5:00 PM. The times vary by about 30 min for both the morning and afternoon.
-I can successfully receive email from the ISP's domain outside of those times, and it seems to "magically" begin to work.
-I believe that I have ruled out both the amount of people trying to connect (as people arrive or leave for the day) and any individual computer that gets turned on or off.
-Swapping the dns name of the ISP's mail server with the ip of the ISP's mail server does not resolve
the issue.

It gets worse:
-This issue appeared to start after installation of a new domain controller and ASA-5505 (Both happened on the same day)
-I can receive email from the ISP's mail server from outside the ASA anytime
-If I swap the ASA with a Linksys, the issue goes away
-If I connect to a mailbox from outside the ASA (using the only static IP assigned to us), then move the computer to inside the ASA (changing back to NAT'd IP), the computer successfully opens and closes a POP3 connection to the ISP's mail server --- as long as there is no mail.
-As soon as the person receives one email, the issue returns.
-It does not matter which mailbox or which computer I do this test with.

Capture from inside when successfully receiving:
6 5.503770 10.0.0.109 208.x.x.x TCP 1099 > pop3 [SYN] Seq=0 Len=0 MSS=1460
7 5.529176 208.x.x.x 10.0.0.109 TCP pop3 > 1099 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380
8 5.529247 10.0.0.109 208.x.x.x TCP 1099 > pop3 [ACK] Seq=1 Ack=1 Win=65535 Len=0
9 5.550051 208.x.x.x 10.0.0.109 POP Response: +OK Hello there.
10 5.550265 10.0.0.109 208.x.x.x POP Request: USER testuser
11 5.x0787 208.x.x.x 10.0.0.109 TCP pop3 > 1099 [ACK] Seq=19 Ack=15 Win=5840 Len=0
12 5.x1052 208.x.x.x 10.0.0.109 POP Response: +OK Password required.
13 5.x1241 10.0.0.109 208.x.x.x POP Request: PASS ***
14 5.631394 208.x.x.x 10.0.0.109 POP Response: +OK logged in.
15 5.631592 10.0.0.109 208.x.x.x POP Request: STAT
16 5.658310 208.x.x.x 10.0.0.109 POP Response: +OK 1 2494
17 5.658500 10.0.0.109 208.x.x.x POP Request: UIDL
18 5.678269 208.x.x.x 10.0.0.109 POP Response: +OK
19 5.678453 10.0.0.109 208.x.x.x POP Request: LIST
20 5.700992 208.x.x.x 10.0.0.109 POP Response: +OK POP3 clients that break here, they violate STD53.
21 5.703876 10.0.0.109 208.x.x.x POP Request: RETR 1
22 5.739949 208.x.x.x 10.0.0.109 POP Response: +OK 2494 octets follow.
23 5.747896 208.x.x.x 10.0.0.109 POP Continuation
24 5.748145 10.0.0.109 208.x.x.x TCP 1099 > pop3 [ACK] Seq=54 Ack=2x0 Win=65535 Len=0
25 5.768541 208.x.x.x 10.0.0.109 POP Continuation
26 5.792568 10.0.0.109 208.x.x.x POP Request: DELE 1
27 5.818550 208.x.x.x 10.0.0.109 POP Response: +OK Deleted.
28 5.818805 10.0.0.109 208.x.x.x POP Request: QUIT
29 5.838874 208.x.x.x 10.0.0.109 POP Response: +OK Bye-bye.
30 5.839069 10.0.0.109 208.x.x.x TCP 1099 > pop3 [FIN, ACK] Seq=68 Ack=2716 Win=65389 Len=0
31 5.840697 208.x.x.x 10.0.0.109 TCP pop3 > 1099 [FIN, ACK] Seq=2716 Ack=68 Win=5840 Len=0
32 5.840823 10.0.0.109 208.x.x.x TCP 1099 > pop3 [ACK] Seq=69 Ack=2717 Win=65389 Len=0
33 5.859062 208.x.x.x 10.0.0.109 TCP pop3 > 1099 [ACK] Seq=2717 Ack=69 Win=5840 Len=0

Capture from inside when unsuccessful at receiving email:
5 0.045816 208.x.x.x 10.0.0.109 POP Response: +OK Hello there.
6 0.046094 10.0.0.109 208.x.x.x POP Request: USER testuser
7 0.074890 208.x.x.x 10.0.0.109 TCP pop3 > 1235 [ACK] Seq=19 Ack=15 Win=5840 Len=0
8 0.075333 208.x.x.x 10.0.0.109 POP Response: +OK Password required.
9 0.075666 10.0.0.109 208.x.x.x POP Request: PASS ***
10 0.126187 208.x.x.x 10.0.0.109 POP Response: +OK logged in.
11 0.126533 10.0.0.109 208.x.x.x POP Request: STAT
12 0.154110 208.x.x.x 10.0.0.109 POP Response: +OK 1 20431
13 0.154344 10.0.0.109 208.x.x.x POP Request: UIDL
14 0.176011 208.x.x.x 10.0.0.109 POP Response: +OK
15 0.176222 10.0.0.109 208.x.x.x POP Request: LIST
16 0.204656 208.x.x.x 10.0.0.109 POP Response: +OK POP3 clients that break here, they violate STD53.
17 0.207363 10.0.0.109 208.x.x.x POP Request: RETR 1
18 0.243090 208.x.x.x 10.0.0.109 POP Response: +OK 20431 octets follow.
19 0.366507 10.0.0.109 208.x.x.x TCP 1235 > pop3 [ACK] Seq=54 Ack=1192 Win=65535 Len=0
20 2.194602 10.0.0.109 10.0.0.255 NBNS Name query NB NETINEL0<20>
21 135.667751 10.0.0.109 208.x.x.x TCP 1241 > pop3 [SYN] Seq=0 Len=0 MSS=1460
22 135.693173 208.x.x.x 10.0.0.109 TCP pop3 > 1241 [SYN, ACK] Seq=0 Ack=1 Win=0 Len=0
23 135.693321 10.0.0.109 208.x.x.x TCP 1241 > pop3 [ACK] Seq=1 Ack=1 Win=65535 Len=0
24 135.712765 208.x.x.x 10.0.0.109 TCP [TCP Window Update] pop3 > 1241 [ACK] Seq=1 Ack=1 Win=8192 Len=0

ASA config:

hostname host
domain-name domain.dns
passwd *
enable password *
names
name 10.0.0.0 Anetwork
name 10.0.0.240 Aserver
name 10.0.0.222 Bserver
name 208.x.x.x WAN_IP
name 10.0.0.100 LAN_IP
name 10.0.1.0 VPNnetwork
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address LAN_IP 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address WAN_IP 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec This system is for authorized users only.  Sessions may be monitored.
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name domain.dns
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list no_nat extended permit ip Anetwork 255.255.255.0 VPNnetwork 255.255.255.0
access-list split_tunnel standard permit Anetwork 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging trap notifications
logging asdm informational
logging mail critical
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.0.1.100-10.0.1.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 Anetwork 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius host Aserver
 timeout 5
 key *
group-policy GroupVPN internal
group-policy GroupVPN attributes
 dns-server value 10.0.0.240
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value domain.dns
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http Anetwork 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set nonAAAset esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set nonAAAset
crypto dynamic-map dyn1 1 set reverse-route
crypto map nonAAAmap 1 ipsec-isakmp dynamic dyn1
crypto map nonAAAmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
tunnel-group nonAAAgroup type ipsec-ra
tunnel-group nonAAAgroup general-attributes
 address-pool vpnpool
 authentication-server-group Radius
 default-group-policy GroupVPN
tunnel-group nonAAAgroup ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh Anetwork 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
0
rockjockb
Asked:
rockjockb
  • 4
1 Solution
 
Jim_CoyneCommented:
Try this:

pixfirewall#config t
pixfirewall(config)#policy-map global_policy
pixfirewall(config-pmap)#class inspection_default
pixfirewall(config-pmap-c)#no inspect esmtp
pixfirewall(config-pmap-c)#exit
pixfirewall(config-pmap)# exit
pixfirewall(config)#exit
pixfirewall#write mem
0
 
rockjockbAuthor Commented:
Sorry it took me awhile to get back. Just came back to the client that is having this issue.

Thanks Jim, for the response, but it didn't work.

Another twist. If I choose to download only the headers, it will get the headers for all of the waiting emails. As soon as I mark one for download, then attempt to download it, it hangs.
0
 
rockjockbAuthor Commented:
Upped the version to latest and changed the MTU (not at the same time).

Neither fixed the issue.
0
 
rockjockbAuthor Commented:
Upping points to 500.

I'm starting to guess that there is no solution. If there is no response within a week. I will have to withdraw the question.
0
 
rockjockbAuthor Commented:
In case anyone runs across this and has the same issue, I have pasted the fix that I finally got from Cisco below. I couldn't believe that it worked, but it did.

lab-pix(config t)# access-list http-list permit tcp any any
lab-pix(config t)# class-map http-map
lab-pix(config-cmap)# match access-list http-list
lab-pix(config-cmap)# exit
lab-pix(config t)# tcp-map mss-map
lab-pix(config-tcp-map)# exceed-mss allow
lab-pix(config-tcp-map)# exit
lab-pix(config t)# policy-map global_policy
lab-pix(config-pmap)#class http-map
lab-pix(config-pmap-c)#set connection advanced-options mss-map
lab-pixconfig-pmap-c)#exit
lab-pix(config-pmap)#exit
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now