01-13-2010 02:50 AM - edited 03-11-2019 09:57 AM
Hi all,
we have an ASA 5580-40 with rel 8.2(1) and we recently experienced problems with ciphered SMTP. After some investigation we realized that by default ASA while inspecting ESMTP overwrites command STARTTLS prohibiting ciphered SMTP to work. We also found how to fix it and, following what described by documentation, we modified configuration as follows:
policy-map type inspect esmtp esmtp_MYmap
parameters
allow-tls action log
policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_MYmap
exit
now if we do "show service-policy inspect esmtp" we obtain
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp esmtp_MYmap, packet 1787801, lock fail 1, drop 2, reset-drop 0
mask-banner, count 34437
allow-tls, count 5176, log 5161
while before the change we had a richer default map:
show service-policy inspect esmtp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp _default_esmtp_map, packet 392991766, lock fail 1367, drop 5360, reset-drop 0
mask-banner, count 14545939
match cmd line length gt 512
drop-connection log, packet 0
match cmd RCPT count gt 100
drop-connection log, packet 2467
match body line length gt 998
log, packet 56428
match header line length gt 998
drop-connection log, packet 1785
match sender-address length gt 320
drop-connection log, packet 0
match MIME filename length gt 255
drop-connection log, packet 0
match ehlo-reply-parameter others
mask, packet 11713786
Now: Is there a way to define a new map that inherits from the default one or do we have to manually define all the match above inside the new map in order to preserve the basic ESMTP protocol checks?
Thanks a lot
Chiara
01-20-2010 06:34 PM
Just add these along with the allow-tls action log that you already have under the parameters section.
policy-map type inspect esmtp esmtp_MYmap
parameters
allow-tls action log
match cmd line length gt 512
match cmd RCPT count gt 100
match body line length gt 998
match header line length gt 998
match MIME filename length gt 255
match ehlo-reply-parameter others
and it will show you these as well.
5505(config)# sh service-policy inspect esmtp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp esmtp_MYmap, packet 0, drop 0, reset-drop 0
mask-banner, count 0
allow-tls, count 0, log 0
match cmd line length gt 512
match cmd RCPT count gt 100
match body line length gt 998
match header line length gt 998
match MIME filename length gt 255
match ehlo-reply-parameter others
-KS
02-01-2010 09:28 AM
I completed the policy definition before receiving your answer. I removed logging from allow-tls and I added the basic check inside my custom policy in this way:
policy-map type inspect esmtp esmtp_MYmap
parameters
no allow-tls action log
allow-tls
mask-banner
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
but after some days I had to remove it because the ASA cpu rised unexpectedly (the traffic remained unchanged).
Do you see something wrong? The only difference from the configuration you indicated, is that I also specified the action corresponding to every match...
Thanks again
02-01-2010 01:12 PM
I don't see anything wrong. Unless you receive huge amount of e-mail traffic.
You may want to open a TAC case to check the process that is taking CPU cycles during the time of the CPU spike.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: