Allow ESMTP from defined IPs

Dario Francesco Vanin · ‎06-24-2012

Hi guys,

I have to allow the ESMTP traffic from a defined IP address. I know that the following statement allows me to disable the inspection but I would do more, limiting the "no inspect esmtp" to a single IP address.

conf t

policy-map global_policy

class inspection_default

no inspect esmtp

exi

wr

Do you know how to do it?

Thanks,

Dario Vanin

varrao · ‎06-24-2012

Hi dario,

You would need this:

access-list no-inspect deny ip host x.x.x.x host y.y.y.y

access-list no-inspect permit ip any any

class-map no-inspect-class

match access-list no-inspect

policy-map global_policy

class no-inspect

inspect esmtp

where x.x.x.x and y.y.y.y are your desired ip's for which you want to disable it.

This would deny the ip's from being inspected but other traffic would be.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Dario Francesco Vanin · ‎06-24-2012

Thanks Varun,

so you said that in my scenarioI should use this statement below? I have a single host to allow.

access-list no-inspect deny ip host x.x.x.x

Thanks,

Dario

varrao · ‎06-24-2012

Hi Dario,

Yes, I would suggest you apply this acl's:

access-list no-inspect deny ip host x.x.x.x any

access-list no-inspect deny ip any host x.x.x.x

access-list no-inspect permit ip any any

Reason being, you would want to exclude bi-directional traffic, to and from the host to any destination.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao