ASA: ESMTP inspection with TLS for some hosts and without TLS for other hosts

marcosespinatrigo — Tue, 12 Mar 2019 06:24:23 GMT

Hi all,

I want to enable ESMTP inspection on one ASA, but since a have devices which don´t support TLS I was wondering how to enable ESMTP with TLS inspection for some hosts and ESMTP without TLS inspection for the others. I added the line "esmtp tls-allow" to the default global_policy so I was thinking in creating another policy-map for the hosts which don´t support TLS as follows:

access-list ESMTP permit ip host X.X.X.X any
access-list ESMTP deny ip X.X.X.0 255.255.255.0 any !Would be this line required??

class-map CMAP
match access-list ESMTP

policy-map PMAP
class CMAP
inspect dns preset_dns_map
................... ! include the default application inspections
inspect esmtp

service-policy PMAP interface inside

Could anyone tell me whether this configuration would work or not, please?? Many thanks in advance

Hi Marco,

Cesar Gustavo Lopez Zamarripa — Mon, 10 Aug 2015 13:28:28 GMT

Hi Marco,

You can just add to your new service policy the ESMTP inspection modifications. Traffic will still match the global policy for any other parameters and protocols.

The "deny" ESMTP ACL entry is not necessary as, just like the ACLs used for interfaces, there will be an implicit "deny ip any any" at the bottom. But in this case, it won't drop traffic. It just means that any other traffic won't be matched.

However, if you want to have TLS traffic enabled for that host inbound and outbound, I would suggest the next changes:

Being 192.168.10.1, the device we want to allow TLS.

! ACL to match interesting traffic
access-list ALLOW-TLS extended permit ip host 192.168.10.1 any
access-list ALLOW-TLS extended permit ip any host 192.168.10.1

!ACL to match everything else but not match interesting traffic.
access-list DENY-TLS extended deny ip host 192.168.10.1 any
access-list DENY-TLS extended deny ip any host 192.168.10.1
access-list DENY-TLS extended permit ip any any

!Allow TLS policy map.
policy-map type inspect esmtp ALLOW-TLS
 parameters
  allow-tls

!Class matching traffic to support TLS.
class-map ALLOW-TLS
 match access-list ALLOW-TLS

!Class matching all other traffic.
class-map DENY-TLS
 match access-list DENY-TLS

!Removing default ESMTP inspection and creating new classes
policy-map global_policy
 class inspection_default
  no inspect esmtp
 exit
 class ALLOW-TLS
  inspect esmtp ALLOW-TLS
 class DENY-TLS
  inspect esmtp

This will create two different classes inside the global policy, so, no matter where the traffic starts, it will be matched and there won't be any policy overlaps.

You can tests using the command:

     show service-policy flow tcp host x.x.x.x host 192.168.10.1 eq smtp

By changing x.x.x.x to any desired source IP.

Hope this info helps!

-Cesar.

topic Hi Marco, in Network Security

ASA: ESMTP inspection with TLS for some hosts and without TLS for other hosts

Hi Marco,