cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1672
Views
0
Helpful
2
Replies

ASA - Inspect ESMTP

cdcjim2877
Level 1
Level 1

I am working with an ASA 5520 with a SPAM appliance located within the DMZ.  Not all smtp connections are being corrupted by the inspect esmtp setting, just a few.  It was discovered that those few sites that are connecting to the SPAM appliance traverse 2 additional firewalls (1 ASA and 1 PIX), *before* their smtp traffic hits the Internet to continue on to our DMZ.

Why would this be the case?  Is it due to passing through two additional firewalls that may be adjusting the headers (static NAT, etc.)?

If we are not comfortable turning off the inspect esmtp setting, is it possible to write a specific policy that would include these few sites MX records?  If so, how might that be done?

Thanks,

Jim

1 Accepted Solution

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

You could create an access list

that matches specific server ip addresses and put it under the policy map and inspect esmtp on it

------------

access-l esmtp-acl deny tcp any eq 25

access-l esmtp-acl perm tcp any any eq 25

class-m esmtp-cm

  match access-l esmtp-acl

policy-map globasl_policy

  class espmtp-cm

     inspect esmtp

------------

I hope it helps.

PK

View solution in original post

2 Replies 2

Panos Kampanakis
Cisco Employee
Cisco Employee

You could create an access list

that matches specific server ip addresses and put it under the policy map and inspect esmtp on it

------------

access-l esmtp-acl deny tcp any eq 25

access-l esmtp-acl perm tcp any any eq 25

class-m esmtp-cm

  match access-l esmtp-acl

policy-map globasl_policy

  class espmtp-cm

     inspect esmtp

------------

I hope it helps.

PK

Yes, this is what I needed.  Thank you PK,

Jim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: