Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa service policy

this is a service policy for esmtp on asa.

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: esmtp _default_esmtp_map, packet 611, drop 0, reset-drop 0

        mask-banner, count 2073

        match cmd line length gt 512

          drop-connection log, packet 0

        match cmd RCPT count gt 100

          drop-connection log, packet 0

        match body line length gt 998

          log, packet 0

        match header line length gt 998

          drop-connection log, packet 0

        match sender-address length gt 320

          drop-connection log, packet 0

        match MIME filename length gt 255

          drop-connection log, packet 0

        match ehlo-reply-parameter others

          mask, packet 2
-----------------------------------------------------------------------

Class-map: inspection_default

      Inspect: ftp, packet 18793, drop 0, reset-drop 0

      Inspect: h323 h225 _default_h323_map, packet 3, drop 0, reset-drop 0

      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0

      Inspect: netbios, packet 0, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, drop 0, reset-drop 0

      Inspect: skinny , packet 0, drop 0, reset-drop 0

      Inspect: esmtp _default_esmtp_map, packet 611, drop 0, reset-drop 0

      Inspect: sqlnet, packet 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0

      Inspect: sip , packet 5, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

the configured acl for esmtp shows hits on it, but esmtp doesnt work for branch office.

will service policy pose blocks for this.

when it says packet 611 on esmtp, it indicates inspected & allowed traffic, is that true.

TIA.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: asa service policy

Hi,

There's an ESMTP server behind the ASA that should be accesible from the remote office?

If so you need an ACL allowing the inbound traffic and a static NAT.

If the ACL shows hits on it, traffic is getting to the ASA.

You can do:

packet-tracer input outside tcp x.x.x.x 1024 y.y.y.y 25 det

The above will show if there's any process dropping ESMTP packets to the server.

x.x.x.x --> IP of the remote host

y.y.y.y --> NAT IP of the server

Federico.

1 REPLY

Re: asa service policy

Hi,

There's an ESMTP server behind the ASA that should be accesible from the remote office?

If so you need an ACL allowing the inbound traffic and a static NAT.

If the ACL shows hits on it, traffic is getting to the ASA.

You can do:

packet-tracer input outside tcp x.x.x.x 1024 y.y.y.y 25 det

The above will show if there's any process dropping ESMTP packets to the server.

x.x.x.x --> IP of the remote host

y.y.y.y --> NAT IP of the server

Federico.

515
Views
0
Helpful
1
Replies
CreatePlease login to create content