OK so I want to permit only my email servers to send out SMTP and deny SMTP for anything else, but I want everything else to go out over IP. I'm kind of confused where the deny shoudl take place.
ip access- ext SMTP_SERVERS_OUT permit object-group SMTP_SERVERS_OUT any deny object HQ-LAN any <<<<---------Will this deny everything else sending SMTP or just stop it being matched in the policy mapclass-map type inspect match-all CM-SMTP_SERVERS_OUT Match access-group name SMTP_SERVERS_OUT Match protocol smtppolicy-map type inspect OUTBOUND-TRAFFIC class-map type inspect CM-SMTP_SERVERS_OUT inspect class-map type inspect class-default inspect
Or do I have to create a additional class map to match everything else on smtp then drop that in the policy map??
I think it is better if you create a new class that matches on all port 25 traffic and make the action be drop, and put it UNDER the "class-map type inspect CM-SMTP_SERVERS_OUT" that inspects legit email traffic.
It does make sense but I'm not sure it works like that, or at least that's what I'm trying to establish.
From what I can see, it doesn't work "top down" like an ACL would. So the deny all on port 25 would also match the SMTP servers so even though they're explicitly permitted what's to stop them matching the deny. With the class-maps there's no sequence numbers so it's like you can slot in a different class above another without deleteing and recreating the policy.
I really don't see how ZFW makes it easier, it's done nothing but confuse me!!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :