11-03-2022 11:30 PM
Hi, I'm working to migrate an ASA to FTD, when I run Migration Tool it's ignore esmtp inspection set on the global policy. Can I configure that policy manually on the FTD or realy is not necessary?
!
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.131 eq 465
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.131 eq 587
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.131 eq smtp
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.132 eq 465
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.132 eq 587
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.132 eq smtp
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.131 eq 465
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.131 eq 587
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.131 eq smtp
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.132 eq 465
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.132 eq 587
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.132 eq smtp
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.191 eq 465
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.191 eq 587
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.191 eq smtp
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.192 eq 465
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.192 eq 587
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.192 eq smtp
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.191 eq 465
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.191 eq 587
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.191 eq smtp
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.192 eq 465
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.192 eq 587
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.192 eq smtp
access-list esmtp extended permit tcp any any eq smtp
access-list esmtp extended permit tcp any any eq 587
access-list esmtp extended permit tcp any any eq 465
!
class-map class_no_esmpt
match access-list esmtp
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
inspect icmp error
class class_no_esmpt
inspect esmtp
!
service-policy global_policy global
11-04-2022 12:58 AM
yes you can configure on FTD, - configure inspection esmtp disable.
But if you using this will be overrided when you push the config from FMC
if you using FMC use flexconfig.
https://www.balajibandi.com/?p=1760
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide