Skip to main content

Problem with FWSM. Please help.

More
17 years 2 months ago #23371 by calicutbobby
Hi,

We have a FWSM module in 6513 core switch which acts as the gateway between Vlan's.


We have an exhange server (Microsoft Exchange 2003) in one VLAN and now we face a connectivity problem to this server on port 25 from other VLAN's. The port is open and no restrictions are there from Acces-lists.


When we do a telnet to the server on port 25, we are not able to see the banner which the exchange server returns as response and no response are obtained for the commads we type in as well. Ex: helo, mail from: mailid@domain.com, etc.,

Once we telnet to the exchange server on port 25 from a different VLAN we get the below given message

---Output---

220 ****************************************************************************

***********************************************

--end of output---

Where as it works perfectly within the VLAN where the server exists and we get response to the command which we type in. Ex; helo, mil from: mailid@domain.com, etc.,


---Output---

220 servername.ourdomain.com Microsoft ESMTP MAIL Service, Version: x.y.wert.yuio ready at Tue, 2 Oct 2007 14:04:34 +0200

--End of Output---

The scenario here is, we have lot of application servers which monitor multiple devices and these application servers sent mail to the exchange server. These application servers are in a different VLAN.

I aint sure what exactly is blocking the return traffic? Someone please advice on this. Thanks.
More
17 years 2 months ago #23373 by calicutbobby
The issue has been resolved. The inspect engine for smtp was blocking/dropping the packets. Thanks
More
17 years 2 months ago #23380 by skepticals
I'm sorry, I should have caught that. I have heard about the SMTP inspection causing problems, but I have not been faced with that at this time.

Does the inspection only happen when traffic goes between VLANs and interfaces?
More
17 years 2 months ago #23381 by Smurf
We turn the SMTP/ESMTP Fixup/Inspect rules off on all our Pix firewalls because it just stops e-mail flow.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 2 months ago #23382 by skepticals
Smurf,

Do you have a link to documentation as to the best method of disabling the inspection?
More
17 years 2 months ago #23383 by Smurf
No, just remove the inspect line (or fixup).

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.130 seconds