ASA to FTD+FMC / Migration Tool 3.0 / inspect on global service policy

Hans Martinez · ‎11-03-2022

Hi, I'm working to migrate an ASA to FTD, when I run Migration Tool it's ignore esmtp inspection set on the global policy. Can I configure that policy manually on the FTD or realy is not necessary?

!
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.131 eq 465
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.131 eq 587
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.131 eq smtp
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.132 eq 465
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.132 eq 587
access-list esmtp extended deny tcp host 10.16.8.191 host 10.20.199.132 eq smtp
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.131 eq 465
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.131 eq 587
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.131 eq smtp
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.132 eq 465
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.132 eq 587
access-list esmtp extended deny tcp host 10.16.8.192 host 10.20.199.132 eq smtp
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.191 eq 465
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.191 eq 587
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.191 eq smtp
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.192 eq 465
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.192 eq 587
access-list esmtp extended deny tcp host 10.20.199.131 host 10.16.8.192 eq smtp
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.191 eq 465
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.191 eq 587
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.191 eq smtp
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.192 eq 465
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.192 eq 587
access-list esmtp extended deny tcp host 10.20.199.132 host 10.16.8.192 eq smtp
access-list esmtp extended permit tcp any any eq smtp
access-list esmtp extended permit tcp any any eq 587
access-list esmtp extended permit tcp any any eq 465
!
class-map class_no_esmpt
match access-list esmtp
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
inspect icmp error
class class_no_esmpt
inspect esmtp
!
service-policy global_policy global

balaji.bandi · ‎11-04-2022

yes you can configure on FTD, - configure inspection esmtp disable.

But if you using this will be overrided when you push the config from FMC

if you using FMC use flexconfig.

https://www.balajibandi.com/?p=1760

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help