Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
0
Helpful
1
Replies

ASA: ESMTP inspection with TLS for some hosts and without TLS for other hosts

marcosespinatrigo
Level 1
Level 1

‎08-10-2015 03:17 AM - edited ‎03-11-2019 11:24 PM

Hi all,

 

I want to enable ESMTP inspection on one ASA, but since a have devices which don´t support TLS I was wondering how to enable ESMTP with TLS inspection for some hosts and ESMTP without TLS inspection for the others. I added the line "esmtp tls-allow" to the default global_policy so I was thinking in creating another policy-map for the hosts which don´t support TLS as follows:

 

access-list ESMTP permit ip host X.X.X.X any
access-list ESMTP deny ip X.X.X.0 255.255.255.0 any !Would be this line required??

class-map CMAP
match access-list ESMTP

policy-map PMAP
class CMAP
inspect dns preset_dns_map 
................... ! include the default application inspections
inspect esmtp 

service-policy PMAP interface inside

 

Could anyone tell me whether this configuration would work or not, please?? Many thanks in advance

 

 

Labels:
0 Helpful
1 Reply 1

Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee

‎08-10-2015 06:28 AM

Hi Marco,

 

You can just add to your new service policy the ESMTP inspection modifications. Traffic will still match the global policy for any other parameters and protocols.

 

The "deny" ESMTP ACL entry is not necessary as, just like the ACLs used for interfaces, there will be an implicit "deny ip any any" at the bottom. But in this case, it won't drop traffic. It just means that any other traffic won't be matched.

 

However, if you want to have TLS traffic enabled for that host inbound and outbound, I would suggest the next changes:

 

Being 192.168.10.1, the device we want to allow TLS. 

! ACL to match interesting traffic
access-list ALLOW-TLS extended permit ip host 192.168.10.1 any
access-list ALLOW-TLS extended permit ip any host 192.168.10.1

!ACL to match everything else but not match interesting traffic.
access-list DENY-TLS extended deny ip host 192.168.10.1 any
access-list DENY-TLS extended deny ip any host 192.168.10.1
access-list DENY-TLS extended permit ip any any

!Allow TLS policy map.
policy-map type inspect esmtp ALLOW-TLS
 parameters
  allow-tls

!Class matching traffic to support TLS.
class-map ALLOW-TLS
 match access-list ALLOW-TLS

!Class matching all other traffic.
class-map DENY-TLS
 match access-list DENY-TLS

!Removing default ESMTP inspection and creating new classes
policy-map global_policy
 class inspection_default
  no inspect esmtp
 exit
 class ALLOW-TLS
  inspect esmtp ALLOW-TLS
 class DENY-TLS
  inspect esmtp

This will create two different classes inside the global policy, so, no matter where the traffic starts, it will be matched and there won't be any policy overlaps. 

 

You can tests using the command:

 

     show service-policy flow tcp host x.x.x.x host 192.168.10.1 eq smtp

By changing x.x.x.x to any desired source IP.

 

Hope this info helps!

 

-Cesar.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card