https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479971#M689170 <P><SPAN style="background-color: #f8fafd;">I am working with an ASA 5520 with a SPAM appliance located within the DMZ.&nbsp; Not all smtp connections are being corrupted by the inspect esmtp setting, just a few.&nbsp; It was discovered that those few sites that are connecting to the SPAM appliance traverse 2 additional firewalls (1 ASA and 1 PIX), *before* their smtp traffic hits the Internet to continue on to our DMZ.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Why would this be the case?&nbsp; Is it due to passing through two additional firewalls that may be adjusting the headers (static NAT, etc.)?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">If we are not comfortable turning off the inspect esmtp setting, is it possible to write a specific policy that would include these few sites MX records?&nbsp; If so, how might that be done?</SPAN></P><P></P><P>Thanks,</P><P></P><P>Jim</P> Mon, 11 Mar 2019 17:51:58 GMT cdcjim2877 2019-03-11T17:51:58Z https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479971#M689170 <P><SPAN style="background-color: #f8fafd;">I am working with an ASA 5520 with a SPAM appliance located within the DMZ.&nbsp; Not all smtp connections are being corrupted by the inspect esmtp setting, just a few.&nbsp; It was discovered that those few sites that are connecting to the SPAM appliance traverse 2 additional firewalls (1 ASA and 1 PIX), *before* their smtp traffic hits the Internet to continue on to our DMZ.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Why would this be the case?&nbsp; Is it due to passing through two additional firewalls that may be adjusting the headers (static NAT, etc.)?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">If we are not comfortable turning off the inspect esmtp setting, is it possible to write a specific policy that would include these few sites MX records?&nbsp; If so, how might that be done?</SPAN></P><P></P><P>Thanks,</P><P></P><P>Jim</P> Mon, 11 Mar 2019 17:51:58 GMT https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479971#M689170 cdcjim2877 2019-03-11T17:51:58Z https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479972#M689198 <HTML><HEAD></HEAD><BODY><P>You could create an access list</P><P> that matches specific server ip addresses and put it under the policy map and inspect esmtp on it</P><P></P><P>------------</P><P>access-l esmtp-acl deny tcp <IP not="" to="" inspect=""> any eq 25</IP></P><P>access-l esmtp-acl perm tcp any any eq 25</P><P>class-m esmtp-cm</P><P>&nbsp; match access-l esmtp-acl</P><P>policy-map globasl_policy</P><P>&nbsp; class espmtp-cm</P><P>&nbsp;&nbsp;&nbsp;&nbsp; inspect esmtp</P><P>------------</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Sat, 29 May 2010 00:48:13 GMT https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479972#M689198 Panos Kampanakis 2010-05-29T00:48:13Z https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479973#M689216 <HTML><HEAD></HEAD><BODY><P>Yes, this is what I needed.&nbsp; Thank you PK,</P><P></P><P>Jim</P></BODY></HTML> Sat, 29 May 2010 14:09:55 GMT https://community.cisco.com/t5/network-security/asa-inspect-esmtp/m-p/1479973#M689216 cdcjim2877 2010-05-29T14:09:55Z