So here's an update:
1. I have turned off fixup smtp and checked that inspect esmtp or inspect
smtp is not running.
2. I have also enabled ICMP for both ends from our DMZ mail server and
internal mail server. It is still happening.
Plot thickens huh.
On Mon, Feb 15, 2010 at 6:22 PM, DJ Lucas <d...@lucasit.com> wrote:
> On 02/14/2010 10:17 PM, Jafaruddin Lie wrote:
> >
> > We do have a CISCO ASA 5520 that the outgoing mailserver sits behind,
> > and I have done the no fixup protocol on the box to no avail.
> > I have also enabled ICMP from that box to our internal mail server,
> > and ping works so I figure the ICMP NO-FRAGMENT wouldn't be an issue
> > here now.
> >
> It sounds as though the issue surfaced about the same time the new
> security device came into play. If so, it might help to make that
> absolutely clear to everyone who reads this thread. Is this the only
> change in the environment? From what you've said above, it sounds like
> you're on the right track. Only thing I noticed is that you mentioned
> fixup (PIX) and not inspect (ASA). I don't have an ASA in front of me
> ATM (and honestly, I'm not all that good with them anyway), however
> something 'like' the following commands should get you to the right
> place if you don't have access to ASDM (assuming you haven't changed too
> much in the default configuration). There are plenty of examples all
> over the net if you use the correct search terms. Obviously, you should
> do a 'show run' to make sure my second assumption is correct (and that
> this could even be the problem).
>
> {{{
> policy-map global_policy
> class inspection_default
> no inspect esmtp
> }}}
>
> Don't forget to write, else it'll be gone on reboot if it works. Sorry,
> done that a couple of times myself, though I always dump my configs. A
> friendly reminder never hurts either way.
>
> BTW, here is a better example than the Cisco docs (IMO), probably should
> have just linked to there in the first place instead of the above
> gibberish. Oh well.
>
>
> http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24438893.html
>
> -- DJ Lucas
>
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.
>
>
--
Registered Linux user no. 384430
