Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ESMTP inspection clarifications

Dear friends,

A few clarifications on ESMTP inspection class maps.

1. What exactly is  Match invalid-recipients? I dont know the meaning of this match clause even from command reference?

2. Under ESMTP inspection, there are two conflicting commands for recipient addresses:

Match cmd RCPT count gt bytes

match  header length to_fields count gt

Aren't both more or less the same?

Can i get some clarifications on these 2 points?

Thanks a lot

Gautam

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ESMTP inspection clarifications

Gautham,

1. invalid recipient count: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2031823

mail server---(I)ASA(0)--client

I believe this counter is tracked by the inspection for all the 5.5.0 smtp;550 Invalid recipient the server sends to the client (on the same connection) for all the RCPT TO: the client sends. If this counter is reached the value set then it sends a syslog message below.

ASA-6-108005: ESMTP Classification: Received ESMTP Response from inside:10.1.1.1/25 to outside:10.11.44.2/3311; matched Class 22: invalid-recipients count gt 10

2. Match cmd RCPT count gt
To match the number of recipient addresses
To match the number of recipient addresses, enter the following command:
hostname(config-pmap-p)# match cmd RCPT count gt count
Where count is the number of recipient addresses.

3. match header length to_fields count gt

To match the header to-fields count, enter the following command:
hostname(config-pmap-p)# match header to-fields count gt count
Where count is the number of recipients in the to-field of the header

I believe you are correct. 2 and 3 appear to be the same.  Just tracked in diff. places.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html

-KS

2 REPLIES
Cisco Employee

Re: ESMTP inspection clarifications

Gautham,

1. invalid recipient count: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2031823

mail server---(I)ASA(0)--client

I believe this counter is tracked by the inspection for all the 5.5.0 smtp;550 Invalid recipient the server sends to the client (on the same connection) for all the RCPT TO: the client sends. If this counter is reached the value set then it sends a syslog message below.

ASA-6-108005: ESMTP Classification: Received ESMTP Response from inside:10.1.1.1/25 to outside:10.11.44.2/3311; matched Class 22: invalid-recipients count gt 10

2. Match cmd RCPT count gt
To match the number of recipient addresses
To match the number of recipient addresses, enter the following command:
hostname(config-pmap-p)# match cmd RCPT count gt count
Where count is the number of recipient addresses.

3. match header length to_fields count gt

To match the header to-fields count, enter the following command:
hostname(config-pmap-p)# match header to-fields count gt count
Where count is the number of recipients in the to-field of the header

I believe you are correct. 2 and 3 appear to be the same.  Just tracked in diff. places.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html

-KS

New Member

Re: ESMTP inspection clarifications

Thanks a lot Kureli for the detailed explanation

571
Views
0
Helpful
2
Replies
CreatePlease to create content