Cisco ASA 5510 ESMTP Inspection

ciscocisco-asa

having an ASA 5510 (8.3(2)).

2 Interfaces: 1. NGCC, SecurityLevel 20, one Host with IP 1.2.3.4 Microsoft ESMTP MAIL Service, Version: 8.5.9600.16384 on Port 25 2. DMZ, Security Level 20, one Host with IP 5.6.7.8 Postfix 2.6.6 on Port 25

ESMTP Inspection is enabled (global_policy/inspection_default)

Trying to connect from a Network with Security Level 50 using telnet 5.6.7.8 25 shows me the SMTP Banner and i can use e.g. EHLO/HELO without problems.

telnet 1.2.3.4 25 gives me the 220 **** Banner and only 500 5.3.3 Replies regardless of the command i send. Until i disable ESMTP Inspection, then telnet 1.2.3.4 25 works fine.

The Network i'm connecting from does not have any ACLs or NAT Rules between the one or the other destination network.

What am i missing ? Why is this working on one Interface but not on the other ?

thanks

Best Answer

Everything being done by the ESMTP inspection is related to the information being exchanged between hosts. It is not related to NAT, ACLs, IPs or interfaces the client and server reside on with one exception: One of the interfaces the traffic is traversing has the inspection rule turned on or it is globally turned on for all interfaces.

The information being sent between hosts will be modified if it doesn't match the criteria the ASA expects or if it sends information the ASA wants to mask between parties.

More info can be found in the config guide.

Reason for 220 Banner Modification

Another security feature used by these devices is SMTP banner modification. In order to hide the type and version of the protected mail server, some devices will obscure all but the 220 portion of the banner that is required for communication. The banner will often appear similar to: 220*************

Part of the information being hidden is the ESMTP advertisement in the banner. When this advertisement is removed, a sending server will not be aware that ESMTP commands are accepted.

Source

You can also disable just the banner modification.

policy-map type inspect esmtp new_estmp_inspect_map
  parameters
    no mask-banner

policy-map global-policy
  class class-default
    inspect esmtp new_esmtp_inspect_map
service-policy global-policy global

Source.

Reason for Replies

The ASA only supports 15 SMTP commands, any others will return the errors you are seeing. The second SMTP server (1.2.3.4) is using commands the ASA doesn't support or they are improperly formatted.

ESMTP application inspection adds support for extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, and RSET), the ASA supports a total of 15 SMTP commands. Other extended SMTP commands, such as ATRN, ONEX, VERB, and CHUNKING, and private extensions are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

Source

To verify, I recommend using a packet sniffer between the ASA and 1.2.3.4 to see which commands are being returned.

Related Topic