SMTP and TLS with PIX

Unanswered Question
Dec 6th, 2007

Running version 3.1(5) on FWSM

Is there a way to allow TLS with SMTP through the firewall without disabling SMTP statefull inspection globally?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Thu, 12/13/2007 - 14:47

You can do this. You'll just need to define different classes of traffic (using access-list matches) and then inspect ESMTP on certain classes. For example:

access-list traffic-with-TLS permit ip 192.168.1.0 255.255.255.0 any eq 25

access-list traffic-without-TLS deny ip 192.168.1.0 255.255.255.0 any

access-list traffic-without-TLS permit ip any any

class-map inspection_without_smtp

match access-list traffic-with-TLS

class-map inspection_default

match default-inspection-traffic

match access-list traffic-without-TLS

policy-map global_policy

class inspection_without_smtp

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect sqlnet

inspect skinny

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

service-policy global_policy global

Actions

This Discussion