08-10-2015 03:17 AM - edited 03-11-2019 11:24 PM
Hi all,
I want to enable ESMTP inspection on one ASA, but since a have devices which don´t support TLS I was wondering how to enable ESMTP with TLS inspection for some hosts and ESMTP without TLS inspection for the others. I added the line "esmtp tls-allow" to the default global_policy so I was thinking in creating another policy-map for the hosts which don´t support TLS as follows:
access-list ESMTP permit ip host X.X.X.X any
access-list ESMTP deny ip X.X.X.0 255.255.255.0 any !Would be this line required??
class-map CMAP
match access-list ESMTP
policy-map PMAP
class CMAP
inspect dns preset_dns_map
................... ! include the default application inspections
inspect esmtp
service-policy PMAP interface inside
Could anyone tell me whether this configuration would work or not, please?? Many thanks in advance
08-10-2015 06:28 AM
Hi Marco,
You can just add to your new service policy the ESMTP inspection modifications. Traffic will still match the global policy for any other parameters and protocols.
The "deny" ESMTP ACL entry is not necessary as, just like the ACLs used for interfaces, there will be an implicit "deny ip any any" at the bottom. But in this case, it won't drop traffic. It just means that any other traffic won't be matched.
However, if you want to have TLS traffic enabled for that host inbound and outbound, I would suggest the next changes:
Being 192.168.10.1, the device we want to allow TLS.
! ACL to match interesting traffic access-list ALLOW-TLS extended permit ip host 192.168.10.1 any access-list ALLOW-TLS extended permit ip any host 192.168.10.1 !ACL to match everything else but not match interesting traffic. access-list DENY-TLS extended deny ip host 192.168.10.1 any access-list DENY-TLS extended deny ip any host 192.168.10.1 access-list DENY-TLS extended permit ip any any !Allow TLS policy map. policy-map type inspect esmtp ALLOW-TLS parameters allow-tls !Class matching traffic to support TLS. class-map ALLOW-TLS match access-list ALLOW-TLS !Class matching all other traffic. class-map DENY-TLS match access-list DENY-TLS !Removing default ESMTP inspection and creating new classes policy-map global_policy class inspection_default no inspect esmtp exit class ALLOW-TLS inspect esmtp ALLOW-TLS class DENY-TLS inspect esmtp
This will create two different classes inside the global policy, so, no matter where the traffic starts, it will be matched and there won't be any policy overlaps.
You can tests using the command:
show service-policy flow tcp host x.x.x.x host 192.168.10.1 eq smtp
By changing x.x.x.x to any desired source IP.
Hope this info helps!
-Cesar.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide