cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9181
Views
0
Helpful
5
Replies

ESMTP inspection default settings

stevekives
Level 1
Level 1

Does anyone know a way to display the ASA default ESMTP inspection settings?

The config seems to show nothing more than "inspect esmtp" in the global policy. We needed to liberalize a setting (allow more than 100 recipients) which means implementing our own inspection policy, but we don't seem to have an obvious way of replicating the remaining default inspection limits.

1 Accepted Solution

Accepted Solutions

One more way ( see the all option in sh run ):

ASA-5510-8x# sh run all | b policy-map

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no message-length maximum server

no message-length maximum client

dns-guard

protocol-enforcement

nat-rewrite

no id-randomization

no id-mismatch

no tsig enforced

policy-map type inspect http http-pol

parameters

body-match-maximum 200

match request uri regex _default_x-kazaa-network

policy-map type inspect rtsp _default_rtsp_map

description Default RTSP policymap

parameters

policy-map type inspect h323 _default_h323_map

description Default H.323 policymap

parameters

no rtp-conformance

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

mask-banner

no mail-relay

no special-character

no allow-tls

match cmd line length gt 512

drop-connection log

match cmd RCPT count gt 100

drop-connection log

match body line length gt 998

log

match header line length gt 998

drop-connection log

match sender-address length gt 320

drop-connection log

match MIME filename length gt 255

drop-connection log

match ehlo-reply-parameter others

mask

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225 _default_h323_map

inspect h323 ras _default_h323_map

inspect rsh

inspect rtsp

inspect esmtp _default_esmtp_map

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class sip_class

inspect sip

class class-default

policy-map type inspect sip _default_sip_map

description Default SIP policymap

parameters

im

no ip-address-privacy

traffic-non-sip

no rtp-conformance

policy-map type inspect dns _default_dns_map

description Default DNS policy-map

parameters

no message-length maximum

no message-length maximum server

no message-length maximum client

dns-guard

protocol-enforcement

nat-rewrite

no id-randomization

no id-mismatch

no tsig enforced

policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map

description Default IPSEC-PASS-THRU policy-map

parameters

esp per-client-max 0 timeout 0:10:00

!

service-policy global_policy global

View solution in original post

5 Replies 5

JORGE RODRIGUEZ
Level 10
Level 10

For additional esmtp inspection parameters you have to create your own esmtp inspection policy map.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782

Jorge Rodriguez

We did that part. But we don't know what the other default settings are for ESMTP inspection, so currently all we have is a limit for RCPT entries.

To save time and effort it would be nice to replicate the remaining default inspection entries to get some use out of the feature, rather than generating them from scratch through trial and error.

Problem solved! We figured out how to display the default inspection values, which turns out to be pretty simple:

# show service-policy inspect esmtp

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0

mask-banner, count 0

match cmd line length gt 512

drop-connection log, packet 0

match cmd RCPT count gt 100

drop-connection log, packet 0

match body line length gt 998

log, packet 0

match header line length gt 998

drop-connection log, packet 0

match sender-address length gt 320

drop-connection log, packet 0

match MIME filename length gt 255

drop-connection log, packet 0

match ehlo-reply-parameter others

mask, packet 0

Making a custom inspection set then becomes pretty straightforward:

# policy-map type inspect esmtp ESMTP_Policy

parameters

allow-tls

match cmd RCPT count gt 1000

reset log

# policy-map global_policy

# class inspection_default

# no inspect esmtp

# inspect esmtp ESMTP_Policy

Now it's much easier to adjust the values as we encounter problems in the logs or brought to us by users.

One more way ( see the all option in sh run ):

ASA-5510-8x# sh run all | b policy-map

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

no message-length maximum server

no message-length maximum client

dns-guard

protocol-enforcement

nat-rewrite

no id-randomization

no id-mismatch

no tsig enforced

policy-map type inspect http http-pol

parameters

body-match-maximum 200

match request uri regex _default_x-kazaa-network

policy-map type inspect rtsp _default_rtsp_map

description Default RTSP policymap

parameters

policy-map type inspect h323 _default_h323_map

description Default H.323 policymap

parameters

no rtp-conformance

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

mask-banner

no mail-relay

no special-character

no allow-tls

match cmd line length gt 512

drop-connection log

match cmd RCPT count gt 100

drop-connection log

match body line length gt 998

log

match header line length gt 998

drop-connection log

match sender-address length gt 320

drop-connection log

match MIME filename length gt 255

drop-connection log

match ehlo-reply-parameter others

mask

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225 _default_h323_map

inspect h323 ras _default_h323_map

inspect rsh

inspect rtsp

inspect esmtp _default_esmtp_map

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class sip_class

inspect sip

class class-default

policy-map type inspect sip _default_sip_map

description Default SIP policymap

parameters

im

no ip-address-privacy

traffic-non-sip

no rtp-conformance

policy-map type inspect dns _default_dns_map

description Default DNS policy-map

parameters

no message-length maximum

no message-length maximum server

no message-length maximum client

dns-guard

protocol-enforcement

nat-rewrite

no id-randomization

no id-mismatch

no tsig enforced

policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map

description Default IPSEC-PASS-THRU policy-map

parameters

esp per-client-max 0 timeout 0:10:00

!

service-policy global_policy global

Terrific! That option should help with many other things as well. Thanks for the info.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: