Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Interal mail domain traffic scanning through CSC/SSM.

Hi,

I have a customer who has an Internet Domain (say 'mydomain.com'), and another internal domain (say 'mylocaldomain.com'). A single mail server downloads the mails from mydomain.com, working through the ASA5510. mydomain.com is being used to exchange mails with external users. For internal mails, users send/receive mails on mylocaldomain.com. Since the same mail server serves for both mydomain.com and mylocaldomain.com, my query is, how do I ensure that all the local mails headed for mylocaldomain.com are scanned etc. by CSC/SSM? Mylocaldomain.com is not published on the internet. The mail server for both the domain is common, and is located on the Internal LAN. Do I need to shift my mail server to DMZ for getting it to work the way we want it? Thanks in advance.

1 REPLY
Community Member

Re: Interal mail domain traffic scanning through CSC/SSM.

Hi

It is better if you place the Mail Server in the DMZ zone and accordingly you have to restructure the rule base.

Since you only need to scan the internal mail traffic, only one service policy is required on the inside interface, with an access-list that matches traffics to be scanned.

access-list local_mail permit tcp eq 25

access-list local_mail permit tcp < internal_network> eq 110

ASA5510(config)# class-map mail-traffic

ASA5510(config-cmap)# match access-list local_mail

ASA5510(config)# policy-map mail-pol

ASA5510(config-pmap)# class mail-traffic

ASA5510(config-pmap-c)# set connection per-client-max

ASA5510(config-pmap-c)# csc [fail-close | fail-open]

ASA5510(config-pmap-c)# service-policy mail-pol interface inside

Hope this will serve your purpose.

137
Views
0
Helpful
1
Replies
CreatePlease to create content