Cisco ASA 5500-X Series Next-Generation Firewalls

ASA ESMTP and SMTP Inspection Do Not Allow Certain Commands over Telnet

Document ID: 113423

Updated: Sep 16, 2013

Contributed by Magnus Mortensen, Cisco TAC Engineer.



This document describes the best way to troubleshoot connectivity problems with SMTP and ESMTP traffic through an ASA.



There are no specific requirements for this document.

Components Used

The information in this document is based on the Cisco 5500 Series Adaptive Security Appliance (ASA).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to Cisco Technical Tips Conventions for more information on document conventions.


When you test an email server through Telnet on the ASA and ESMTP or SMTP inspection is enabled, certain commands, such as HELO or EHLO, return a 550 error that indicates the command is not understood. When ESMTP or SMTP inspection is disabled, the commands are understood.


ESMTP and SMTP inspection enforce a policy that allows only certain commands through the ASA. If a mail command is sent that is not allowed, it is replaced by Xs, which makes the command invalid to the client and the server.

Commands that are normally allowed are listed in the inspect esmtp section of the Cisco ASA Series Command Reference. HELO and EHLO are normally allowed; however, whether the command is recognized depends on the method by which you test.

For example, Telnet sends each character individually in a different packet on the wire, but actual email clients and servers send the entire command in one packet. If you use Telnet and you type H, the Telnet client sends an H to the email server. Since ESMTP and SMTP inspection do not recognize H as a valid command, the ASA replaces the H with an X and passes it along. If you proceed to type ELO, each character is sent individually, and the ASA turns each character into an X. The server receives the final command as XXXX and errors out as expected.

If you use Telnet to test connectivity, you must configure the application to send the entire command in one packet. (The Microsoft Windows Telnet program can send a line at a time instead of character by character.) Press CTRL+] to exit the Telnet session, and type send HELO. This action sends the entire command instead of individual characters.

As an alternative, you can use another program, such as Netcat. Netcat sends commands line by line and is a very power tool for testing network sockets and data transfers. However, the best solution is to test the connectivity with an actual email program and capture the traffic on the ASA for further testing.

Related Information

Updated: Sep 16, 2013
Document ID: 113423