tstanik Thu, 12/13/2007 - 14:47
User Badges:
  • Bronze, 100 points or more

You can do this. You'll just need to define different classes of traffic (using access-list matches) and then inspect ESMTP on certain classes. For example:


access-list traffic-with-TLS permit ip 192.168.1.0 255.255.255.0 any eq 25

access-list traffic-without-TLS deny ip 192.168.1.0 255.255.255.0 any

access-list traffic-without-TLS permit ip any any

class-map inspection_without_smtp

match access-list traffic-with-TLS

class-map inspection_default

match default-inspection-traffic

match access-list traffic-without-TLS

policy-map global_policy

class inspection_without_smtp

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect sqlnet

inspect skinny

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

service-policy global_policy global

Actions

This Discussion