02-22-2006 07:46 AM - edited 03-09-2019 02:01 PM
Does anyone know of the risk of removing an 'ip inspect..' statement from an IOS firewall feature set? Particulary the 'ip inspect..smtp or esmtp statement. We are having issue's between exchange servers through our site-to-site vpn and the solution is recomending removing the ip inspect statement for smtp to fix. What is the risk not having that statement?
Thanks,
- Ted
02-22-2006 08:25 AM
Ted,
IP Inspect for SMTP -
With ip inspect for smtp activated only the smtp commands defined in ietf rfc 821, section 4.5, are allowed through the router; any other smtp commands are blocked. The allowed smtp commands include:
DATA, EXPN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML, and VRFY.
ip smtp inspection does not support ESMTP, therefore, if you have enabled smtp inspection, and your internal e-mail server uses ESMTP and is experiencing e-mail connection problems, you should disable SMTP application inspection for this connection.
Hope this helps.
02-22-2006 08:51 AM
Hello, thanks for the response,
It turns out that, yes, our exchange servers are using esmtp. If I remove the inspect smtp command completely, is there any security risk? Meaning am I opening up a vulnerability to our organization to some smtp exploit?
Thanks,
- Ted
02-22-2006 11:21 AM
Hi Ted
I would strongly suggest to enable ip inspect commands. Since you have Exchange Server running esmtp, you need to enable ip inspect esmtp command which was introduced in 12.3(7)T. SMTP/ESMTP cannot coexist. Disable SMTP and enable esmtp. ESMTP adds support for 3 additional commands, AUTH, EHLO, and ETRN.
For detailed explanation about the advantage of ESMTP, here's the link
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455aca.html
02-22-2006 01:58 PM
excellent, Thank you all for the responses.
I will be modifying the command to esmtp. I'll let you know how it goes.
thanks again everybody!
- Ted
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide