Cisco Firewall :: ASA 8.4x ESMTP Inspection Bug CSCtr92976

Aug 9, 2012

We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same.  I have an Exchange 2007 server and I can see in the logs the following messages:

2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,

This is with the default ESMTP inspection enabled.  I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same.  Sometimes traffic will pass but most of the time it won't.  The workaround is to just disable the ESMTP inspection.

View 2 Replies


ADVERTISEMENT

Cisco Firewall :: ASA5512-X Outbound Email With ESMTP Inspection Disabled

Jan 14, 2013

I have a client that is running an ASA5512-X.  When I initially installed it, they were having issues sending out emails.  I disabled ESMTP inspection and thought it resolved the issue.  Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue.  If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout. 
 
I am not sure why this would happen since ESMTP is disabled.  They are running 8.6(1) on the ASA.

View 5 Replies View Related

Cisco Firewall :: ASA5510 ESMTP Inspection Stopping Outbound Mail

Jun 13, 2011

I am having an issue with an ASA 5510, running 8.4(1) code, causing outbound mail to remain in the SMTP server queue (Exchange 2007). This only happens with some remote mail servers. The connection usually ends with the remote server eventually sending a TCP reset.
 
I've taken multiple inside and outside packet traces.Other trace's contain either X's preceding various sections of the stream content or all X's in the content. The X's only appear when inspection is enabled.
 
Disabling inspection is the only thing that seems to allow mail to flow. I find this curious because I'm running this same ESMTP policy on other ASA's. However, they are on 8.3 code.
 
Most everything I find when searching on this subject says to disable ESMTP inspection. [code]

View 4 Replies View Related

Cisco Firewall :: ASA 5520 - ESMTP Connection Dropped

May 30, 2013

We are working with an ASA 5520 and it seems there is an issue with some email messages sent throught it. When there are many recipients in the emails the email messages are not sent, and I have revised the server an the only thing I see is connecting dropped. When I went to see ASA log and see this log report: ESMTP Classification: Dropped connection for ESMTP Request from 'interface': servername/portnumber to outside: IP address/25; matched Class 2: cmd RCPT count gt 100 tcp flow from interface:servername/portnumber to outside: IP address/25 terminated by inspection engine, reason - inspector disconnected, dropped packet. So I think there should be an inspection of ESMTP packets and if they detect an email message sent to over 100 addresses, then the packet is dropped, am I right? if so, what should I do to let those email messages be sent?

View 6 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - FTP Inspection

May 25, 2011

I have multiple customers and servers behind my ASA5510s.  After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server.  I had the default inspection rules running regarding FTP.  After removing the "inspect ftp" from the global policy their issues went away.  Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall.  I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers. 
 
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it.  Then I used the "exclude" option to exclude the new customer.  That new customer is fine and things are better, but still not working right.  Does the following config accomplish what I want??  Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
 
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
 
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
 
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)

View 3 Replies View Related

Cisco Firewall :: ASA 5520 / How To See / Log Drops Due To Inspection

Jan 29, 2013

ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs?  So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.

View 5 Replies View Related

Cisco Firewall :: How To Disable TLS Inspection For SIP On ASA5510

Jun 13, 2012

I am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
 
Is there is a way to disable the TLS inspection for Cisco ASA5510?

View 2 Replies View Related

Cisco Firewall :: RFC2671 / Default ASA DNS Inspection

Sep 21, 2011

By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
 
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
 
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?

View 3 Replies View Related

Cisco Firewall :: HTTP Inspection On ASA 5505

May 3, 2011

let me know how to enable HTTP inspection in ASA 5505 through ASDM.

View 1 Replies View Related

Cisco Firewall :: No Class Inspection Default On 5505?

May 9, 2012

I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
 
Example 
policy-map global_policy
class inspection_default
inspect dns preset_dns_map

[Code]......
 
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?

View 2 Replies View Related

Cisco Firewall :: Default FWSM 4.1 Inspection Policy

Jan 10, 2011

On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
 
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.

View 9 Replies View Related

Cisco Firewall :: ASA 5520 SIP Inspection Process Is Not Working?

Jul 16, 2009

I have an issue with Cisco ASA 5520, The summary is below!
 
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
 Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
 Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
 
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.

View 2 Replies View Related

Cisco Firewall :: ASA5580-40 Deep Packet Inspection?

Jan 18, 2012

I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
 
Is there a way that the inspection can be turned off for that particular server at the IP level?

View 1 Replies View Related

Cisco Firewall :: ASA 5505 / Skinny Inspection Closes Connection

Dec 31, 2011

I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
 
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
 
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
 
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
 
 My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
 
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?

View 1 Replies View Related

Cisco Firewall :: 2821 - ZBF - Inspection Slows Down HTTP Downloads

Mar 8, 2011

I Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).

View 11 Replies View Related

Cisco Firewall :: ASA 5520 - Inspection Of MSSQL Dynamic Port

Jun 5, 2012

I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
 
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
 
But, I would like to add mssql inspection and I did the next:
 
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect ip-options   inspect netbios   inspect rsh   inspect rtsp   inspect skinny    inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip    inspect xdmcp class class_sqlnet  inspect sqlnet service-policy global_policy global
[Code] ..........

View 1 Replies View Related

Cisco Firewall :: 871 / 2811 / 1841 - ZBFW Default Inspection Specification

May 6, 2011

I can't find any specific information on the implementation of packet inspection in a zone based policy firewall.  In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols?  With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements.  Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc.  The IOS in use in most cases is adventerprisek9-mz.151-3.T.

View 4 Replies View Related

Cisco Firewall :: ASA 5520 Default Inspection Engine Dropping Connections

May 25, 2011

I currently have the default inspection engine configured in my firewall to inspect http traffic.  I noticed that the ASA will drop packets when visting legitimate websites.  I've tried googling for a workaround but have been unsucsselful.  How can I exclude some websites or IP's from being affected by the inspection engine?

View 1 Replies View Related

Cisco Firewall :: ASA 5520 CSC Module Per Subnet / IP Group Inspection Profile

Sep 7, 2011

verify if the ASA 5520 CSC module way of applying security policy (http, smtp, pop3, etc.) is per network/subnet or group of users? Based on my understanding through reading, web and email protection profile/config is global. It will be the same to every network user that is redirected via service-policy config on the ASA.
 
Scenario: I have two VLAN, guest and employee. Of course guest and employee have different web filter profile. Can i configure it such that guest web-filter profile is not just strict while employee's access is limited only to productive internet sites.

View 5 Replies View Related

Cisco Firewall :: Trace-route Through ASA 8.2 Is Not Working When ICMP Error Inspection

Jun 6, 2011

I have problem with icmp traceroute configuration. When I enabling icmp error inspection in global policy, my traceroute results through ASA 8.2.4 looks like this: My traceroute  [v0.75]
                                                    
icmp inspection and ttl decrement on ASA is enabled. Also I configured ACL on outside interface to permit ICMP completely.

View 14 Replies View Related

Cisco Firewall :: ASA 5500 - HTTP Inspection Spoof Server String

Aug 11, 2011

I'm looking fot a way to do static URL blocking with ASA and when the URL is blocked present a "Web Page" to the user saying that it's been blocked.

So, i was wondering if i can use the http parameter "spoof server string" to replace the original URL sent by the user for another URL that points to an internal web server holding a basic page saying "Your URL request has been blocked".
 
The point is to have a way to tell users that the page they are trying to browse is blocked by a policy.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 Removed Icmp Inspection From Default Policy-map

May 10, 2012

i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
 
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply

View 1 Replies View Related

Cisco Firewall :: IP Phone 7961 - Inspection Rule Activated And Call Works

Jun 23, 2011

I got a problem yesterday with a customer that says that the calls from a CISCO IP Phone 7961 to an Alcatel 4018 IP Touch didn't work, well the phone rings but there's no voice; I manage a CISCO ASA version 8.2(1) and I was checking the Inspection Rules in the Service Policy Rules section and when you open the inspection_default at the Rule Actions tab I find that the H.323 H.225 and H.323 RAS box wasn't checked so I ask to the customer to made a test and the same problem happen so I checked both box and again ask to the customer for a test and it works.
 
I was talking to a partner and he said that maybe this Inspect fix some signaling parameters of this protocol that can't work fine behind of a firewall.

View 1 Replies View Related

Cisco :: Why ESMTP Corrupts Emails So Badly From Exchange Server

Mar 18, 2011

since upgrading to 8.4(1) on our ASA 5520 I've had nothing but issues with our email server not being able to send out emails (timeouts,corruption, etc) and tried everything and then it dawned on me to turn off ESMTP inspection on the ASA's.Since I've down that our Exchange server SMTP works perfectly again.Why is it that ESMTP corrupts emails so badly from exchange server? (ours is a 2010 sp1)does anyone actually use ESMTP inspection at all?

View 3 Replies View Related

Cisco Firewall :: ASA 5505 - Http Inspection Dropping All Http Traffic

May 9, 2012

I am testing out some inspection options on an ASA 5505, and I am running into a situation in which applying a http inspection is dropping all outbound http traffic. I get a "protocol violation" error in the logs.
 
Here is the setup: I'm not sure why the web traffic is getting dropped.
 
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto

[Code].....

View 2 Replies View Related

Cisco :: ASA ICMP Inspection Not Working?

Jan 31, 2012

More and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.

View 4 Replies View Related

Cisco :: Asa Dns Inspection Can See Alot Of Dns Drops

Jul 8, 2011

We have ASA 5580 with multiple context in our company. On the one of the context (where the DNS servers are located) i can see a lot of DNS drops.

View 1 Replies View Related

Cisco :: Monitor Inspection Load IPS ASA-SSM-20

Sep 22, 2011

I am aware there is a feature request but don't see any updates.  Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS.  We are currently running 7.0(5a)E4.  I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.

View 1 Replies View Related

Cisco WAN :: ASR1002 - Inspection Of ACL Hits

Aug 17, 2011

I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
 
Using LOG is not possible due to the large number of hits.

View 2 Replies View Related

Cisco :: HTTP Inspection URL Filtering On An ASA 5505?

Jan 12, 2011

Im trying to configure HTTP Inpsection with regex matching on a ASA 5505 (8.2) so that I can deny all websites apart from google and yahoo. And also enclude host 192.168.1.2 from this inspection. I have been through a number of examples and the syntax below appears correct but appears not to work. The logs report only that traffic has been dropped by the inspection policy.

View 11 Replies View Related

Cisco Switching/Routing :: ARP Inspection On SF-300 Switch

Aug 20, 2012

I have an SF-300-24 port switch and am having an issue. When a device says "Who has 192.168.0.1" (which is the default gateway) two devices are replying in the affirmative, and therefor the MAC address table is getting screwed up.  I know the correct MAC address of 192.168.0.1 is 00:1b:21:95:02:b0, so how do I tell the router to disgard any packets that say otherwise?   I tried to figure out DHCP snooping and IP source guard, and ARP Inspection, but I am not getting anywhere and keep losing connectivity to the switch.  
 
Obviously a device on the network is misconfigured, unfortunately it is a large wireless network and the misconfigured device is 30 miles away on the top of a mountain.   I am hoping to bandaid it locally and then eventually go out and fix the offending equipment.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved