Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

inspect esmtp

Status
Not open for further replies.

TamerAhmed

Technical User
Sep 11, 2006
19
EU
Hi,

By default the PIX inspect smtp on port 25 or even in new versions 7.2 inspect esmtp on the same port , and i as i read it's for traffic coming from higher security interfaces to lower not the opposite . I had a client behind my secure zone trying to use an external smtp, and he use it unless i removed this default inspectioon from the PIX, so why did that happen?
 
Are you saying the user was able to use port 25 outbound for SMTP until you removed the inspect esmtp command and then it no longer worked? Post your config.

Free Firewall/Network/Systems Support-
 
Hi sir,

i mean the opposite. In other words my customer was not working until i removed this inspection and then it worked. I guess esmtp inspection works on inbound connection not on outbound specially my customer intiates an outbound connection from inside to outside. Here below the global policy that are applied by default on all interfaces

policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class class_rtsp
inspect rtsp
class inspection_default
inspect icmp error
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
 
The inspect should be working both ways. The inspect is simply provding a higher level of inspection to TCP 25 traffic. The cause of this issue could range from having a invalid or unsupported esmtp command sent by the client or server that made the pix drop this traffic. A sure way to find out is to ensure you either are logging to the buffer or a syslog server. I find the buffer the easiest when troubleshooting.

logging buffered 7 - Sets your logging level to debug. This will give you a range of info for multiple hosts.

sh log - Will display the contents of the logging buffer and the current logging settings.

If you enable the inspect again and have the customer attempt to send you should see some entries on the pix that states why the traffic is being dropped. If your network is busy you may need to do a include on the source or dest ip address to be able see the appropriate entries.

sh log | i 192.168.0.x

Free Firewall/Network/Systems Support-
 
Sir,

I did what you told me but i got nothing helpful, logging jus showed some TCP or UDP connections to some IPs and most of them were google.com, i couldn't see one connection opened to port 25 as a destination IP address!!

sorry for being late to reply you and thank you for help
 
Dear sir


exim mta is the mail server type you asked
 
sir,

i have new thing really strange, i repeated my test but behind another Firewall 525 with OS 7.2 with the same default inspection policy , and it worked, but my current PIX i use 515 with OS 7.2 also is not working, do u think the PIX itself has some problem?!!!
 
What else changed when you tested? I doubt the ardware is the issue here. Please post a scrubbed running config. I assume the config was the same for both PIX?

Free Firewall/Network/Systems Support-
 
the two PIXs are not identical for configuration but for the PIX i complain from , the traffic is sourced from inside interface , and no access-list is applied for the outbound direction. In other words nothing is restricting the outbound connection except the default inspection policy.Regarding the second PIX that allowed my outgoing connection to work fine, reagrding its default inspection policy it's exactly the same, but i have access-list restricting outgoing connection. Briefly i really don't find any difference except the H/W type ( 515,525)


what do you think?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top