SMTP and TLS with PIX

jeff.vargas — Mon, 11 Mar 2019 11:40:21 GMT

Running version 3.1(5) on FWSM

Is there a way to allow TLS with SMTP through the firewall without disabling SMTP statefull inspection globally?

Re: SMTP and TLS with PIX

tstanik — Thu, 13 Dec 2007 22:47:08 GMT

You can do this. You'll just need to define different classes of traffic (using access-list matches) and then inspect ESMTP on certain classes. For example:

access-list traffic-with-TLS permit ip 192.168.1.0 255.255.255.0 any eq 25

access-list traffic-without-TLS deny ip 192.168.1.0 255.255.255.0 any

access-list traffic-without-TLS permit ip any any

class-map inspection_without_smtp

match access-list traffic-with-TLS

class-map inspection_default

match default-inspection-traffic

match access-list traffic-without-TLS

policy-map global_policy

class inspection_without_smtp

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect sqlnet

inspect skinny

class inspection_default