Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

How to avoid SMTP inspection Router IOS ZBF?

We had a problem with SMTP inspection dropping Emails with attachments(Cisco 2900 IOS 15.1)

Logging shows that the dropping in order to "OOO" segments

I want to skip inspection also reassembly on smtp packets and simply pass them , i've created an access list then i added it to a class map with action pass but after that i stopped to recieve mails completely. (access-list 103 permit tcp any any eq smtp)

class-map type inspect match-any OUTSIDE-INSIDE-SMTP

match access-group 103

This is my configuration

class-map type inspect match-any OUTSIDE-INSIDE-ICMP-REPLY

match access-group 102

class-map type inspect match-any Aruba-Outside

match protocol tcp

match protocol udp

class-map type inspect match-any Inside-Outside

match protocol udp

match protocol tcp

class-map type inspect match-any OUTSIDE-INSIDE-SMTP

match access-group 103

class-map type inspect match-any OUTSIDE-INSIDE

match protocol dns

match protocol http

match protocol https

match protocol ftp

match protocol user-fleet

match protocol ipsec-msft

match protocol isakmp

!

!

policy-map type inspect Aruba-Outside

class type inspect Aruba-Outside

inspect

class class-default

pass

policy-map type inspect Inside-Outside

class type inspect Inside-Outside

inspect

class class-default

pass

policy-map type inspect OUTSIDE-INSIDE

class type inspect OUTSIDE-INSIDE

inspect

class type inspect OUTSIDE-INSIDE-SMTP

pass

class type inspect OUTSIDE-INSIDE-ICMP-REPLY

pass

class class-default

drop

!

zone security IN

zone security OUT

zone security ARUBA

zone-pair security INSIDE/OUTSIDE source IN destination OUT

service-policy type inspect Inside-Outside

zone-pair security OUTSIDE-INSIDE source OUT destination IN

service-policy type inspect OUTSIDE-INSIDE

zone-pair security ARUBA-OUTSIDE source ARUBA destination OUT

service-policy type inspect Aruba-Outside

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: How to avoid SMTP inspection Router IOS ZBF?

I assume that your ACL 103 hast a permit for TCP/25. Then your policy needs to be changed to inspect:

policy-map type inspect OUTSIDE-INSIDE

  class type inspect OUTSIDE-INSIDE-SMTP

    inspect

Whith this config, the traffic is only inspected as TCP and nothing is done in the upper layers. Only if you configure a class with a "match protocol ..." statement, a layer7 protocol-inspection is done.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
2 REPLIES
VIP Purple

Re: How to avoid SMTP inspection Router IOS ZBF?

I assume that your ACL 103 hast a permit for TCP/25. Then your policy needs to be changed to inspect:

policy-map type inspect OUTSIDE-INSIDE

  class type inspect OUTSIDE-INSIDE-SMTP

    inspect

Whith this config, the traffic is only inspected as TCP and nothing is done in the upper layers. Only if you configure a class with a "match protocol ..." statement, a layer7 protocol-inspection is done.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

How to avoid SMTP inspection Router IOS ZBF?

Many thanks karsten i really appreciate that answer now i can receive mail with attachments.

162
Views
0
Helpful
2
Replies
CreatePlease to create content