06-24-2012 10:05 PM - edited 03-11-2019 04:22 PM
Hi guys,
I have to allow the ESMTP traffic from a defined IP address. I know that the following statement allows me to disable the inspection but I would do more, limiting the "no inspect esmtp" to a single IP address.
conf t
policy-map global_policy
class inspection_default
no inspect esmtp
exi
wr
Do you know how to do it?
Thanks,
Dario Vanin
06-24-2012 11:11 PM
Hi dario,
You would need this:
access-list no-inspect deny ip host x.x.x.x host y.y.y.y
access-list no-inspect permit ip any any
class-map no-inspect-class
match access-list no-inspect
policy-map global_policy
class no-inspect
inspect esmtp
where x.x.x.x and y.y.y.y are your desired ip's for which you want to disable it.
This would deny the ip's from being inspected but other traffic would be.
Thanks,
Varun Rao
Security Team,
Cisco TAC
06-24-2012 11:17 PM
Thanks Varun,
so you said that in my scenarioI should use this statement below? I have a single host to allow.
access-list no-inspect deny ip host x.x.x.x
Thanks,
Dario
06-24-2012 11:21 PM
Hi Dario,
Yes, I would suggest you apply this acl's:
access-list no-inspect deny ip host x.x.x.x any
access-list no-inspect deny ip any host x.x.x.x
access-list no-inspect permit ip any any
Reason being, you would want to exclude bi-directional traffic, to and from the host to any destination.
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide