11-22-2010 08:14 AM - edited 03-11-2019 12:12 PM
this is a service policy for esmtp on asa.
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: esmtp _default_esmtp_map, packet 611, drop 0, reset-drop 0
mask-banner, count 2073
match cmd line length gt 512
drop-connection log, packet 0
match cmd RCPT count gt 100
drop-connection log, packet 0
match body line length gt 998
log, packet 0
match header line length gt 998
drop-connection log, packet 0
match sender-address length gt 320
drop-connection log, packet 0
match MIME filename length gt 255
drop-connection log, packet 0
match ehlo-reply-parameter others
mask, packet 2
-----------------------------------------------------------------------
Class-map: inspection_default
Inspect: ftp, packet 18793, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 3, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 611, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 5, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
the configured acl for esmtp shows hits on it, but esmtp doesnt work for branch office.
will service policy pose blocks for this.
when it says packet 611 on esmtp, it indicates inspected & allowed traffic, is that true.
TIA.
Solved! Go to Solution.
11-22-2010 09:07 AM
Hi,
There's an ESMTP server behind the ASA that should be accesible from the remote office?
If so you need an ACL allowing the inbound traffic and a static NAT.
If the ACL shows hits on it, traffic is getting to the ASA.
You can do:
packet-tracer input outside tcp x.x.x.x 1024 y.y.y.y 25 det
The above will show if there's any process dropping ESMTP packets to the server.
x.x.x.x --> IP of the remote host
y.y.y.y --> NAT IP of the server
Federico.
11-22-2010 09:07 AM
Hi,
There's an ESMTP server behind the ASA that should be accesible from the remote office?
If so you need an ACL allowing the inbound traffic and a static NAT.
If the ACL shows hits on it, traffic is getting to the ASA.
You can do:
packet-tracer input outside tcp x.x.x.x 1024 y.y.y.y 25 det
The above will show if there's any process dropping ESMTP packets to the server.
x.x.x.x --> IP of the remote host
y.y.y.y --> NAT IP of the server
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide