Does anyone know of the risk of removing an 'ip inspect..' statement from an IOS firewall feature set? Particulary the 'ip inspect..smtp or esmtp statement. We are having issue's between exchange servers through our site-to-site vpn and the solution is recomending removing the ip inspect statement for smtp to fix. What is the risk not having that statement?
ip smtp inspection does not support ESMTP, therefore, if you have enabled smtp inspection, and your internal e-mail server uses ESMTP and is experiencing e-mail connection problems, you should disable SMTP application inspection for this connection.
It turns out that, yes, our exchange servers are using esmtp. If I remove the inspect smtp command completely, is there any security risk? Meaning am I opening up a vulnerability to our organization to some smtp exploit?
I would strongly suggest to enable ip inspect commands. Since you have Exchange Server running esmtp, you need to enable ip inspect esmtp command which was introduced in 12.3(7)T. SMTP/ESMTP cannot coexist. Disable SMTP and enable esmtp. ESMTP adds support for 3 additional commands, AUTH, EHLO, and ETRN.
For detailed explanation about the advantage of ESMTP, here's the link
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :