Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Ver. 7.2 ESMTP inspection bypass for some servers

Hello :

I have a PIX 525 version 7.2.

This firewall is protecting servers on different DMZ interfaces.

Some of this servers are email servers using ESMTP.

We would like to bypass ESMTP inspect for some not all servers.

Is that possible ? How can we do that ?

Can you post a sample configuration ?

Any help would be appreciated

1 REPLY
Bronze

Re: PIX Ver. 7.2 ESMTP inspection bypass for some servers

Ok,

Here's some configuration assuming you have the pix default policy on:

1) Remove inspection of esmtp for all smtp traffic:

policy-map global_policy

class inspection_default

no inspect esmtp

2) Define an access list that you want traffic inspected on (modify this for the traffic flows you want inspected)

access-list inspect-esmtp permit tcp host 1.1.1.1 any eq 25

3) Define a class map to inspect that access-list:

class-map esmtp-map

match access-list inspect-esmtp

4) Add this traffic to be inspected in your policy map

policy-map global_policy

class esmtp-map

inspect esmtp

That should cover it (assuming global_policy is already defined and applied as a global service policy)

--Jason

Please rate this message if it helped resolve some or all of your issue.

210
Views
0
Helpful
1
Replies
CreatePlease to create content