501 Garbling Smtp traffic 1

[mocsol]

Hi there,

have almost everything set up as needed except that the
PIX 501 seems to be garbling the traffic on port 25 and
drastically reducing the server/client response time.
Internet (pt80)access appears to be fine and I am totally stumped.

Can anyone see any errors in the config (below),
or have you heard of this before??

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 192.168.254.200 eq smtp
access-list 100 permit tcp any host 192.168.254.200 eq 1352
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.254.251 255.255.255.0
ip address inside 192.168.20.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 192.168.254.11-192.168.254.30
global (outside) 1 192.168.254.10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.254.200 192.168.20.2 netmask 255.255.255.255 0 0

access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.20.3-192.168.20.32 inside
dhcpd dns 195.40.1.36 193.131.248.36
dhcpd lease 99999
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cf998f8f56c5dba19839daa19e1a4960

The other possibility is a hardware/firmware error of course, but the crypto seems ok.

Any ideas?

Thanks

Mark

 

[yizhar]

HI.

> PIX 501 seems to be garbling the traffic on port 25
If you mean those asterisks you get when you telnet to mail server, this is by design in the pix, and is intended to protect the mail server by hiding details for attackers.

> drastically reducing the server/client response time
Your mail server might be using the IDENT protocl. You should try to read about this and how to disable it on your mail server.
Also use syslog messages at level 4 to see if the pix is blocking any traffic - this will help you troubleshooting.
Look for blocked TCP port 113 traffic.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[mocsol]

Thanks Yizhar,

will let you know

Cheers

Mark

 

[lardum]

I do have some blocked traffic on port 113. How do i disable ident on Exchange server?

 

[yizhar]

HI.

Exchange does not use IDENT, it is the remote SMTP server.
You should verify this:
Does it happen when you send the mail or receive it - use NSLOOKUP to assist you and try reverse lookup on the ip that is blocked with TCP 113.
Do you also have an additional SMTP server acting as mail relay?

If this is the remote side (recipient server), then in general it is not your problem, but you can try several things to improve performance. Each method has disadvantages as well:

* You can try to allow PORT 113 in to your mail server - I did not try this but I think that the mail server will then "close" the TCP connection instead of "drop" as the pix does by default. The remote server will probably get the FIN message and respond faster instead of waiting for timeout.

* You can configure the pix to reset blocked connections instead of dropping. I don't think it is a good idea because it will work for all ports, not only 113:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/s.htm#xtocid1

Read this - PIX Performance Issues Caused by IDENT Protocol:

http://www.cisco.com/warp/public/110/2.html

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[lardum]

Thanks, will check that out. Apparently i do get the same problem today. After receiving "220 *****" and i try to type for example "HELO microsoft.com" after "HELO micro" i get interrupted with a response about 550 unrecognized command. And if i only type in: "HELO" and try to proceed with "MAIL FROM:someone@microsoft.com" the prompt gets stuck and i can't continue.

Any more ideas?

 

[Guest_imported]

This usually caused by the fixup protocol smtp which turns mailguard on. It is used to protect agains DOS attacks. I had to turn mine off in order to get Exchange to work right. Take out the line using - no fixup protocl smtp 25.

 

[rubbaninja]

Again, this is an Exchange issue and *may* involve DNS issues too, specifically having no reverse dns configured. But since the guy who has rights to do dns management on our service provider has not done so.. feh, I can't test my findings. But, that does not mean you cannot start at the root of exchange issues with mailguard.

Please see here for details: Thread35-258524 some commands and things here.

And this cut paste from Cisco site:

To enable the Mail Guard feature to accept only 7 SMTP commands HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT:
This may be turned off to permit ESMTP by negating with
!--- the no fixup protocol smtp 25 command):
fixup protocol smtp 25.
-----------------Cisco site

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/book.htm#xtocid6

The following example shows the commands to disable Mail Guard:

static (dmz1,outside) 209.165.201.1 10.1.1.1 netmask 255.255.255.255
access-list acl_out permit tcp host 209.165.201.1 eq smtp any
access-group acl_out in interface outside
no fixup protocol smtp 25

In this example, the static command sets up a global address to permit outside hosts access to the 10.1.1.1 mail server host on the dmz1 interface. (The MX record for DNS needs to point to the 209.165.201.1 address so that mail is sent to this address.) The access-list command lets any outside users access the global address through the SMTP port (25). The no fixup protocol command disables the Mail Guard feature.


***

My newbie self troubleshooting scenario (the days before tek-tips:

1. We switched service providers.
2. Went from Raptor and Proxy to lotsa Cisco equip which included 2 PIX with 6 interfaces each in stateful failover.
3. DNS guy made the request for DNS changes (not all, as I found out.)
4. Day 1-5 of new equipment and service provider was riddled with nothing but complaints about mail not reaching us. A government agency which had been mailing us for years contacted us about bounces of mail they were sending us.
5. Researched PIX and Exchange
6. Disabled mailguard and whalla. Emails started flowing.

7 -- There is more involved in this but, chances are you will see your traffic moving. If mail starts moving but is moving slowly? Well, then you should watch your connections by doing "show conn" on the PIX. Watch the traffic and what ports it's using when talking with the mailserver. Should only be 25 right? heh, yah.
(hint:

http://archives.indenial.com/hypermail/ntbugtraq/1998/November1998/0063.html

)

Just try it! Your not going to get hacked through this in a 24 hour period.

I have posted this information MANY times on this board. This time I wasn't being lazy and went and grabbed links to Cisco docs. There is lots of information out there on ESMTP also, google to ESMTP Exchange.

-
have fun, tell us what happens.