cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1400
Views
5
Helpful
4
Replies
Highlighted
Participant

ASA ESMTP inspection for blocking inbound spoofed own domain

Hi, I'm using ESMTP inspection and I want to block the incoming mails with an spoofed "mail_from" address from our own domain.

I can use ESMTP inspection with regex to block this domain, but I want to block only that incoming mails (the outgoing are good). How can I do that?

Thanks

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA ESMTP inspection for blocking inbound spoofed own domain

I assume that you already have global_policy, if you do, then all you need to do is enabled "inspect esmtp" under global_policy for your first class-map (ie: you don't need to separately configure "class 1").

So service-policy that you applied to the outside interface will say:

policy-map Mail

     class 2 match "incoming traffic"

          inspect esmtp "Block spoofed domain"
service-policy Mail interface outside

View solution in original post

4 REPLIES 4
Cisco Employee

Re: ASA ESMTP inspection for blocking inbound spoofed own domain

You can also create and match on access-list, and the access-list will say "permit tcp any host eq 25"

Participant

Re: ASA ESMTP inspection for blocking inbound spoofed own domain

OK, but at the same time I want ESMTP inspection for outgoing mails, can I put to classes into a policy-map, both doing esmtp inspection?

Something like that:

policy-map Mail

     class 1 match all traffic

          inspect esmtp

     class 2 match "incoming traffic"

          inspect esmtp "Block spoofed domain"


service-policy Mail interface outside

Performance? Or is there a better way to do that?

Thanks

Cisco Employee

Re: ASA ESMTP inspection for blocking inbound spoofed own domain

I assume that you already have global_policy, if you do, then all you need to do is enabled "inspect esmtp" under global_policy for your first class-map (ie: you don't need to separately configure "class 1").

So service-policy that you applied to the outside interface will say:

policy-map Mail

     class 2 match "incoming traffic"

          inspect esmtp "Block spoofed domain"
service-policy Mail interface outside

View solution in original post

Participant

Re: ASA ESMTP inspection for blocking inbound spoofed own domain

OK, working!

Thanks