Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > My Cisco ASA is mangling legitimate SMTP traffic

Reply
Thread Tools

My Cisco ASA is mangling legitimate SMTP traffic

 
 
Ramon F Herrera
Guest
Posts: n/a
 
      06-05-2007

I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
SMTP traffic. Additionally, I have a rule the permits any traffic from
the mail server to the Internet.

My problem is that the firewall is behaving like a wise guy,
distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
followed by a sequential alphabetic letter.

Let's examine the dialogs telneting from server A to B, and then from
server B to A.

The following lines:

EHLO abc.com
250-postino.example.com Hello www.example.com [12.34.56.78], pleased
to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP

are transliterated into:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-XXXA
250-XXXB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-XXXXXXXXC
250 XXXD

While in the opposite direction the regular dialog:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

Becomes mutated into:
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-XXXXXXXXA
250 XXXB

What is going on here?

Suggestions?

-Ramon

 
Reply With Quote
 
 
 
 
Ramon F Herrera
Guest
Posts: n/a
 
      06-05-2007
On Jun 5, 6:04 pm, Grant Taylor <(E-Mail Removed)> wrote:
> On 6/5/2007 4:18 PM, Ramon F Herrera wrote:
>
> > I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> > SMTP traffic. Additionally, I have a rule the permits any traffic
> > from the mail server to the Internet.

>
> I doubt that I even need to read the rest...
>
> > My problem is that the firewall is behaving like a wise guy,
> > distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> > followed by a sequential alphabetic letter.

>
> Not owning or even working on one of these devices, I can't say for
> sure, but...
>
> > What is going on here?

>
> Cisco is happening to you.
>
> > Suggestions?

>
> ... Others have said "Turn *OFF* SMTP fix up". Apparently, this is a
> VERY common problem. Probably enough so that it should be part of the FAQ.
>
> Grant. . . .



Yeap, the problem was in this section:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp <-- This line is dangerous!
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp

I removed the `inspect esmtp' line and the problem disappeared. I
wonder what else is being broken by those "fixups".

Thanks!

-Ramon


 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      06-06-2007
Ramon F Herrera <(E-Mail Removed)> writes:
> inspect esmtp <-- This line is dangerous!


>I removed the `inspect esmtp' line and the problem disappeared. I
>wonder what else is being broken by those "fixups".


The PIX/ASA has always been a bit wonky breaking SMTP left and right
when fixup smtp has been enabled. I'm not quite sure what they are
protecting isn't doing more harm than good. I don't see many PIXs my
way that ever have fixup smtp (or now fixup esmtp) turned on.




 
Reply With Quote
 
Bill Cole
Guest
Posts: n/a
 
      06-06-2007
In article <(E-Mail Removed) .com>,
Ramon F Herrera <(E-Mail Removed)> wrote:

> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
> SMTP traffic. Additionally, I have a rule the permits any traffic from
> the mail server to the Internet.
>
> My problem is that the firewall is behaving like a wise guy,
> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
> followed by a sequential alphabetic letter.


Turn off SMTP 'fixup' on your misdesigned firewall.

Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
mail, as they have years of track record showing that they do not
understand the protocol and have spent years telling their unfortunate
customers that what they do is some sort of fix. They have lied to you.

Consult your documentation or call Cisco to ask how to solve your
problem. It is NOT a Sendmail issue.

--
Now where did I hide that website...
 
Reply With Quote
 
Wolfgang Kueter
Guest
Posts: n/a
 
      06-06-2007
Doug McIntyre wrote:

> Ramon F Herrera <(E-Mail Removed)> writes:
>> inspect esmtp <-- This line is dangerous!

>
>>I removed the `inspect esmtp' line and the problem disappeared. I
>>wonder what else is being broken by those "fixups".

>
> The PIX/ASA has always been a bit wonky breaking SMTP left and right
> when fixup smtp has been enabled. I'm not quite sure what they are
> protecting isn't doing more harm than good. I don't see many PIXs my
> way that ever have fixup smtp (or now fixup esmtp) turned on.


It has been known for years that the *fixup protocol smtp' command in fact
means fu**up protocol smtp

Switching that option off is among the first things to do when configuring a
PIX.

Wolfgang


 
Reply With Quote
 
Tilman Schmidt
Guest
Posts: n/a
 
      06-06-2007
Ramon F Herrera schrieb:
> Yeap, the problem was in this section:
>
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp <-- This line is dangerous!
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect icmp
>
> I removed the `inspect esmtp' line and the problem disappeared. I
> wonder what else is being broken by those "fixups".


For example:
- We are deploying H.323 based videoconferencing and Cisco's H323 "fixup"
wreaks havoc with that, too.
- We regularly see trouble with the default "fixup protocol dns maximum-length 512"
which is way too small.

--
Tilman Schmidt http://www.velocityreviews.com/forums/(E-Mail Removed)
Phoenix Software GmbH www.phoenixsoftware.de
Adolf-Hombitzer-Str. 12 Amtsgericht Bonn HRB 2934
53227 Bonn, Germany Geschäftsführer: W. Grießl
 
Reply With Quote
 
NPG
Guest
Posts: n/a
 
      06-06-2007
* Bill Cole wrote:
> In article <(E-Mail Removed) .com>,
> Ramon F Herrera <(E-Mail Removed)> wrote:
>
>> I set up my ASA-5520 (PIX) with the obvious rule to allow incoming
>> SMTP traffic. Additionally, I have a rule the permits any traffic from
>> the mail server to the Internet.
>>
>> My problem is that the firewall is behaving like a wise guy,
>> distorting SMTP dialogs, by replacing some lines with a bunch of Xs,
>> followed by a sequential alphabetic letter.

>
> Turn off SMTP 'fixup' on your misdesigned firewall.
>
> Cisco does stupid stuff to SMTP. They cannot be trusted to handle your
> mail, as they have years of track record showing that they do not
> understand the protocol and have spent years telling their unfortunate
> customers that what they do is some sort of fix. They have lied to you.
>
> Consult your documentation or call Cisco to ask how to solve your
> problem. It is NOT a Sendmail issue.
>

Yep, Shisco happens.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA error %ASA-4-402126 "please forward this to Cisco" Tilman Schmidt Cisco 1 10-22-2008 03:54 AM
WCCP on ASA & traffic between physical interfaces on ASA apsolar@gmail.com Cisco 3 02-15-2007 12:16 AM
Cisco 1721 and redirecting inbound SMTP traffic jlatulip Cisco 4 05-13-2006 10:39 PM
Traffic Log-Legitimate Traffic or Data Mining??? Jeff Computer Security 11 08-10-2004 01:08 AM
"Deny IP spoof from 0.0.0.x" - Causing PIX to "ignore" legitimate traffic !!! HisNameWasRobertPaulson Cisco 7 04-30-2004 01:20 AM



Advertisments