https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732556#M534415 <HTML><HEAD></HEAD><BODY><P>I had a very similar problem with an 881w router and the CCP-created firewall. It was preventing SMTP sessions that delivered messages with attachments of 2mb or more in size. These steps fixed that problem.</P></BODY></HTML> Fri, 11 Jan 2013 22:48:04 GMT chiefarchitectinc 2013-01-11T22:48:04Z https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732554#M534413 <P>We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).</P><P></P><P>The original configuration, made using CCP, was:</P><P></P><P>access-list 102 remark CCP_ACL Category=0</P><P>access-list 102 permit ip any host 192.168.1.111</P><P></P><P>class-map type inspect match-all sdm-nat-smtp-1</P><P>match access-group 102</P><P>match protocol smtp</P><P></P><P>policy-map type inspect sdm-pol-NATOutsideToInside-1</P><P>class type inspect sdm-nat-smtp-1</P><P>&nbsp; inspect</P><P>....</P><P></P><P>zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone</P><P>service-policy type inspect sdm-pol-NATOutsideToInside-1</P><P></P><P>Here is how to avoid this inspection:</P><P></P><P>no access-list 102</P><P></P><P>access-list 102 remark CCP_ACL Category=0</P><P>access-list 102 permit tcp any host 192.168.1.111 eq 25</P><P></P><P>class-map type inspect match-all sdm-nat-smtp-1</P><P>no match protocol smtp</P><P>match protocol tcp</P><P></P><P>Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.</P><P></P><P>Hope this will help somebody.</P> Mon, 11 Mar 2019 21:06:56 GMT https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732554#M534413 mbesim 2019-03-11T21:06:56Z https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732555#M534414 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Great info, Here's another link on ZBF that i find quite interesting:-</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1084274">http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1084274</A></P><P></P><P>Hope this one helps as well,</P><P></P><P></P><P>Also, as i said you posted great info, in future please add such valuable info to a Doc rather then discussion. Creating a doc will give this info more visibility.</P><P></P><P>Thanks</P><P>Sian</P></BODY></HTML> Tue, 23 Aug 2011 07:41:04 GMT https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732555#M534414 Parminder Sian 2011-08-23T07:41:04Z https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732556#M534415 <HTML><HEAD></HEAD><BODY><P>I had a very similar problem with an 881w router and the CCP-created firewall. It was preventing SMTP sessions that delivered messages with attachments of 2mb or more in size. These steps fixed that problem.</P></BODY></HTML> Fri, 11 Jan 2013 22:48:04 GMT https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732556#M534415 chiefarchitectinc 2013-01-11T22:48:04Z https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732557#M534416 <P>I am having the same issue with 15.2.</P><P>&nbsp;</P><P>Avoiding the SMTP engine does not seem to me like a fix more of a work around...</P><P>Does anyone know the root cause of this or a better fix</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Oct 2014 11:26:19 GMT https://community.cisco.com/t5/network-security/how-to-avoid-smtp-inspection-on-zone-based-firewall/m-p/1732557#M534416 awinslade 2014-10-28T11:26:19Z