Sep 032009

Per default TLS is not allowed by the application inspection on ASA55x0 and fixup protocol on PIX.

PIX with IOS 6.x even is not capable of handling ESMTP. The only way to enable TLS/ESMTP on an old PIX is to disable the smtp-fixup:

no fixup smtp

On ASA55x0 Systems things are looking better. If you run 7.2(3) or higher you can enable the 250-STARTTLS ESMTP-Command by adding the following policy-map:

policy-map type inspect esmtp esmtp_pmap
allow-tls [action log]

action log enables the logging of TLS events.

Don’t forget to activate this policy. If you want to enable it on the default global policy type:

policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_pmap

ASA‘s below 7.2(3) have only the option to disable esmtp inspection like this:

policy-map global_policy
class inspection_default
no inspect esmtp

Why is TLS disabled per default?
TLS is an end to end encryption between two MTA’s. The Firewall is not able to inspect any payload of encrypted traffic – so for security reasons TLS will be denied by default.

Sep 032009

service password-encryption will not encrypt the tacacs-server key on most IOS 12.2 and below.

So be careful with copy&paste things like

tacacs-server key 7 120B0A02060E1E49392E273A3621315D091317

You have to enter your tacacs-server key in cleartext for a working tacacs setup.

tacacs-server key

Erroneous configuration may result in the following output of debug tacacs:

TPLUS: Queuing AAA Authentication request 199 for processing
TPLUS: processing authentication start request id 199
TPLUS: Authentication start packet created for 199()
TPLUS: Using server
TPLUS(000000C7): connected to server
TPLUS: response received for AAA request 199
TPLUS: received bad AUTHEN packet: length = 6, expected 66016
TPLUS: Invalid AUTHEN packet (check keys)

The 0 string and 7 string keyword and argument pairs were added in 12.3(2)T