Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Exchange 2007 in DMZ and ESMTP inspection

Hello,

We are upgrading from an old Exchange 2003 server to Exchange 2007.  We are not a large organization so we're using a 2 server model, edge transport in the DMZ and all other functions on another server on the inside network.  During testing we are finding we are unable to send mail as long as the default inspection policy on our ASA is applied to esmtp.  As soon as I disable it, the mail flows.

We're running ASA 5520 and software version 8.2(2)9.

I've not been able to find any information on how to resolve this, other than disabling esmtp inspection.

If we leave the esmtp inspection disabled, is this a serious risk?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Exchange 2007 in DMZ and ESMTP inspection

Hello,

The ESMTP inspection is simply responsible for protocol enforcement (i.e. command checking), so it's not a huge risk to leave it disabled (or to exempt the inspection for traffic between your Exchange servers).

The reason things are failing is likely because the Exchange servers are using certain commands that the ASA's inspection doesn't support. Depending on the commands, you might be able to configure your servers not to use them if you want to re-enable the inspection (you'd need to do some packet captures to see which commands are being used in the SMTP session).

Here is a quick description of the ESMTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Hope that helps.

-Mike

1 REPLY
Cisco Employee

Re: Exchange 2007 in DMZ and ESMTP inspection

Hello,

The ESMTP inspection is simply responsible for protocol enforcement (i.e. command checking), so it's not a huge risk to leave it disabled (or to exempt the inspection for traffic between your Exchange servers).

The reason things are failing is likely because the Exchange servers are using certain commands that the ASA's inspection doesn't support. Depending on the commands, you might be able to configure your servers not to use them if you want to re-enable the inspection (you'd need to do some packet captures to see which commands are being used in the SMTP session).

Here is a quick description of the ESMTP inspection:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1742723

Hope that helps.

-Mike

1906
Views
5
Helpful
1
Replies