08-06-2009 03:34 PM - edited 03-11-2019 09:03 AM
Does anyone know a way to display the ASA default ESMTP inspection settings?
The config seems to show nothing more than "inspect esmtp" in the global policy. We needed to liberalize a setting (allow more than 100 recipients) which means implementing our own inspection policy, but we don't seem to have an obvious way of replicating the remaining default inspection limits.
Solved! Go to Solution.
08-11-2009 03:48 PM
One more way ( see the all option in sh run ):
ASA-5510-8x# sh run all | b policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect http http-pol
parameters
body-match-maximum 200
match request uri regex _default_x-kazaa-network
policy-map type inspect rtsp _default_rtsp_map
description Default RTSP policymap
parameters
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class sip_class
inspect sip
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
description Default IPSEC-PASS-THRU policy-map
parameters
esp per-client-max 0 timeout 0:10:00
!
service-policy global_policy global
08-06-2009 03:55 PM
For additional esmtp inspection parameters you have to create your own esmtp inspection policy map.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782
08-07-2009 08:07 AM
We did that part. But we don't know what the other default settings are for ESMTP inspection, so currently all we have is a limit for RCPT entries.
To save time and effort it would be nice to replicate the remaining default inspection entries to get some use out of the feature, rather than generating them from scratch through trial and error.
08-10-2009 11:35 AM
Problem solved! We figured out how to display the default inspection values, which turns out to be pretty simple:
# show service-policy inspect esmtp
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
mask-banner, count 0
match cmd line length gt 512
drop-connection log, packet 0
match cmd RCPT count gt 100
drop-connection log, packet 0
match body line length gt 998
log, packet 0
match header line length gt 998
drop-connection log, packet 0
match sender-address length gt 320
drop-connection log, packet 0
match MIME filename length gt 255
drop-connection log, packet 0
match ehlo-reply-parameter others
mask, packet 0
Making a custom inspection set then becomes pretty straightforward:
# policy-map type inspect esmtp ESMTP_Policy
parameters
allow-tls
match cmd RCPT count gt 1000
reset log
# policy-map global_policy
# class inspection_default
# no inspect esmtp
# inspect esmtp ESMTP_Policy
Now it's much easier to adjust the values as we encounter problems in the logs or brought to us by users.
08-11-2009 03:48 PM
One more way ( see the all option in sh run ):
ASA-5510-8x# sh run all | b policy-map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect http http-pol
parameters
body-match-maximum 200
match request uri regex _default_x-kazaa-network
policy-map type inspect rtsp _default_rtsp_map
description Default RTSP policymap
parameters
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class sip_class
inspect sip
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
description Default IPSEC-PASS-THRU policy-map
parameters
esp per-client-max 0 timeout 0:10:00
!
service-policy global_policy global
08-24-2009 01:13 PM
Terrific! That option should help with many other things as well. Thanks for the info.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: