Document ID: 113423
Updated: Jan 26, 2012
Contributed by Magnus Mortensen, Cisco TAC Engineer.
This document describes the best way to troubleshoot connectivity problems with SMTP and ESMTP traffic through an ASA.
There are no specific requirements for this document.
The information in this document is based on the Cisco 5500 Series Adaptive Security Appliance (ASA).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
When you test an email server through Telnet on the ASA and ESMTP or SMTP inspection is enabled, certain commands, such as HELO or EHLO, return a 550 error that indicates the command is not understood. When ESMTP or SMTP inspection is enabled, the commands are understood.
ESMTP and SMTP inspection enforce a policy that allows only certain commands through the ASA. If a mail command is sent that is not allowed, it is replaced by Xs, which makes the command invalid to the client and the server.
Commands that are normally allowed are listed in the inspect esmtp section of the Cisco ASA 5500 Series Command Reference, 8.4 and 8.5. HELO and EHLO are normally allowed; however, whether the command is recognized depends on the method by which you test.
For example, Telnet sends each character individually in a different packet on the wire, but actual email clients and servers send the entire command in one packet. If you use Telnet and you type H, the Telnet client sends an H to the email server. Since ESMTP and SMTP inspection do not recognize H as a valid command, the ASA replaces the H with an X and passes it along. If you proceed to type ELO, each character is sent individually, and the ASA turns each character into an X. The server receives the final command as XXXX and errors out as expected.
If you use Telnet to test connectivity, you must configure the application to send the entire command in one packet. (The Microsoft Windows Telnet program can send a line at a time instead of character by character.) Press CTRL+] to exit the Telnet session, and type send HELO. This action sends the entire command instead of individual characters.
As an alternative, you can use another program, such as Netcat. Netcat sends commands line by line and is a very power tool for testing network sockets and data transfers. However, the best solution is to test the connectivity with an actual email program and capture the traffic on the ASA for further testing.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.