Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA - Inspect ESMTP

I am working with an ASA 5520 with a SPAM appliance located within the DMZ.  Not all smtp connections are being corrupted by the inspect esmtp setting, just a few.  It was discovered that those few sites that are connecting to the SPAM appliance traverse 2 additional firewalls (1 ASA and 1 PIX), *before* their smtp traffic hits the Internet to continue on to our DMZ.

Why would this be the case?  Is it due to passing through two additional firewalls that may be adjusting the headers (static NAT, etc.)?

If we are not comfortable turning off the inspect esmtp setting, is it possible to write a specific policy that would include these few sites MX records?  If so, how might that be done?

Thanks,

Jim

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA - Inspect ESMTP

You could create an access list

that matches specific server ip addresses and put it under the policy map and inspect esmtp on it

------------

access-l esmtp-acl deny tcp any eq 25

access-l esmtp-acl perm tcp any any eq 25

class-m esmtp-cm

  match access-l esmtp-acl

policy-map globasl_policy

  class espmtp-cm

     inspect esmtp

------------

I hope it helps.

PK

2 REPLIES
Cisco Employee

Re: ASA - Inspect ESMTP

You could create an access list

that matches specific server ip addresses and put it under the policy map and inspect esmtp on it

------------

access-l esmtp-acl deny tcp any eq 25

access-l esmtp-acl perm tcp any any eq 25

class-m esmtp-cm

  match access-l esmtp-acl

policy-map globasl_policy

  class espmtp-cm

     inspect esmtp

------------

I hope it helps.

PK

New Member

Re: ASA - Inspect ESMTP

Yes, this is what I needed.  Thank you PK,

Jim

1173
Views
0
Helpful
2
Replies