05-28-2010 04:05 AM - edited 03-11-2019 10:51 AM
I am working with an ASA 5520 with a SPAM appliance located within the DMZ. Not all smtp connections are being corrupted by the inspect esmtp setting, just a few. It was discovered that those few sites that are connecting to the SPAM appliance traverse 2 additional firewalls (1 ASA and 1 PIX), *before* their smtp traffic hits the Internet to continue on to our DMZ.
Why would this be the case? Is it due to passing through two additional firewalls that may be adjusting the headers (static NAT, etc.)?
If we are not comfortable turning off the inspect esmtp setting, is it possible to write a specific policy that would include these few sites MX records? If so, how might that be done?
Thanks,
Jim
Solved! Go to Solution.
05-28-2010 05:48 PM
You could create an access list
that matches specific server ip addresses and put it under the policy map and inspect esmtp on it
------------
access-l esmtp-acl deny tcp
access-l esmtp-acl perm tcp any any eq 25
class-m esmtp-cm
match access-l esmtp-acl
policy-map globasl_policy
class espmtp-cm
inspect esmtp
------------
I hope it helps.
PK
05-28-2010 05:48 PM
You could create an access list
that matches specific server ip addresses and put it under the policy map and inspect esmtp on it
------------
access-l esmtp-acl deny tcp
access-l esmtp-acl perm tcp any any eq 25
class-m esmtp-cm
match access-l esmtp-acl
policy-map globasl_policy
class espmtp-cm
inspect esmtp
------------
I hope it helps.
PK
05-29-2010 07:09 AM
Yes, this is what I needed. Thank you PK,
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide