ASA: how to inherit a new inspect map from a default one?

CSCO10235163 · ‎01-13-2010

Hi all,

we have an ASA 5580-40 with rel 8.2(1) and we recently experienced problems with ciphered SMTP. After some investigation we realized that by default ASA while inspecting ESMTP overwrites command STARTTLS prohibiting ciphered SMTP to work. We also found how to fix it and, following what described by documentation, we modified configuration as follows:

policy-map type inspect esmtp esmtp_MYmap
parameters
allow-tls action log

policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_MYmap
exit

now if we do "show service-policy inspect esmtp" we obtain

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: esmtp esmtp_MYmap, packet 1787801, lock fail 1, drop 2, reset-drop 0
        mask-banner, count 34437
        allow-tls, count 5176, log 5161

while before the change we had a richer default map:

show service-policy inspect esmtp

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: esmtp _default_esmtp_map, packet 392991766, lock fail 1367, drop 5360, reset-drop 0
        mask-banner, count 14545939
        match cmd line length gt 512
          drop-connection log, packet 0
        match cmd RCPT count gt 100
          drop-connection log, packet 2467
        match body line length gt 998
          log, packet 56428
        match header line length gt 998
          drop-connection log, packet 1785
        match sender-address length gt 320
          drop-connection log, packet 0
        match MIME filename length gt 255
          drop-connection log, packet 0
        match ehlo-reply-parameter others
          mask, packet 11713786

Now: Is there a way to define a new map that inherits from the default one or do we have to manually define all the match above inside the new map in order to preserve the basic ESMTP protocol checks?

Thanks a lot

Chiara

Kureli Sankar · ‎01-20-2010

Just add these along with the allow-tls action log that you already have under the parameters section.

policy-map type inspect esmtp esmtp_MYmap
parameters

allow-tls action log
match cmd line length gt 512
match cmd RCPT count gt 100
match body line length gt 998
match header line length gt 998
match MIME filename length gt 255
match ehlo-reply-parameter others

and it will show you these as well.

5505(config)# sh service-policy inspect esmtp

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: esmtp esmtp_MYmap, packet 0, drop 0, reset-drop 0
        mask-banner, count 0
        allow-tls, count 0, log 0
        match cmd line length gt 512
        match cmd RCPT count gt 100
        match body line length gt 998
        match header line length gt 998
        match MIME filename length gt 255
        match ehlo-reply-parameter others

-KS

CSCO10235163 · ‎02-01-2010

I completed the policy definition before receiving your answer. I removed logging from allow-tls and I added the basic check inside my custom policy in this way:

policy-map type inspect esmtp esmtp_MYmap

parameters

no allow-tls action log
allow-tls

mask-banner

match cmd line length gt 512
drop-connection log

match cmd RCPT count gt 100
drop-connection log

match body line length gt 998
log

match header line length gt 998
drop-connection log

match sender-address length gt 320
drop-connection log

match MIME filename length gt 255
drop-connection log

match ehlo-reply-parameter others
mask

but after some days I had to remove it because the ASA cpu rised unexpectedly (the traffic remained unchanged).

Do you see something wrong? The only difference from the configuration you indicated, is that I also specified the action corresponding to every match...

Thanks again

Kureli Sankar · ‎02-01-2010

I don't see anything wrong. Unless you receive huge amount of e-mail traffic.

You may want to open a TAC case to check the process that is taking CPU cycles during the time of the CPU spike.

-KS