Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
1
Replies

asa service policy

Go to solution
suthomas1
Level 6
Level 6

‎11-22-2010 08:14 AM - edited ‎03-11-2019 12:12 PM

this is a service policy for esmtp on asa.

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: esmtp _default_esmtp_map, packet 611, drop 0, reset-drop 0

        mask-banner, count 2073

        match cmd line length gt 512

          drop-connection log, packet 0

        match cmd RCPT count gt 100

          drop-connection log, packet 0

        match body line length gt 998

          log, packet 0

        match header line length gt 998

          drop-connection log, packet 0

        match sender-address length gt 320

          drop-connection log, packet 0

        match MIME filename length gt 255

          drop-connection log, packet 0

        match ehlo-reply-parameter others

          mask, packet 2
-----------------------------------------------------------------------

Class-map: inspection_default

      Inspect: ftp, packet 18793, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 3, drop 0, reset-drop 0

      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

      Inspect: netbios, packet 0, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, drop 0, reset-drop 0

      Inspect: skinny , packet 0, drop 0, reset-drop 0

      Inspect: esmtp _default_esmtp_map, packet 611, drop 0, reset-drop 0

      Inspect: sqlnet, packet 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0

      Inspect: sip , packet 5, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

the configured acl for esmtp shows hits on it, but esmtp doesnt work for branch office.

will service policy pose blocks for this.

when it says packet 611 on esmtp, it indicates inspected & allowed traffic, is that true.

TIA.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-22-2010 09:07 AM

Hi,

There's an ESMTP server behind the ASA that should be accesible from the remote office?

If so you need an ACL allowing the inbound traffic and a static NAT.

If the ACL shows hits on it, traffic is getting to the ASA.

You can do:

packet-tracer input outside tcp x.x.x.x 1024 y.y.y.y 25 det

The above will show if there's any process dropping ESMTP packets to the server.

x.x.x.x --> IP of the remote host

y.y.y.y --> NAT IP of the server

Federico.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-22-2010 09:07 AM

Hi,

There's an ESMTP server behind the ASA that should be accesible from the remote office?

If so you need an ACL allowing the inbound traffic and a static NAT.

If the ACL shows hits on it, traffic is getting to the ASA.

You can do:

packet-tracer input outside tcp x.x.x.x 1024 y.y.y.y 25 det

The above will show if there's any process dropping ESMTP packets to the server.

x.x.x.x --> IP of the remote host

y.y.y.y --> NAT IP of the server

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card