cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
788
Views
5
Helpful
4
Replies

Basic CSC question for ASA5520

Scott Payne
Level 1
Level 1

Good morning!

  We have been having issues with some email accounts that seem to be sending out spam mail on the SMTP port when the computer has been infected.These emails are not going through our Ironport and we are having touble locating the source. The config that I have written forces all SMTP traffic through the Ironport and there is a deny statement after the access-lists that have been created. That being written, we have become black listed on several occasions. Can the CSC module scan outbound traffic going through eq 25 or does it only look at inbound traffic?  

  Please let me know if the CSC can scan outbound email. I want to try to use every option available to keep this from happening.

Partial Config (my notes are in bold)

access-list outside extended permit tcp any host 10.1.5.50 eq smtp  <--- Ironport
access-list outside extended permit tcp any host 10.1.5.80 eq smtp  <--- Exchange
access-list outside extended permit udp any any eq domain
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq pptp
access-list outside extended permit tcp any host 10.1.5.90 eq smtp  <--- Exchange

access-list outside extended permit tcp any host 10.1.5.91 eq smtp  <--- Exchange

access-list outside extended deny tcp any any eq smtp
access-list capin extended permit tcp any any eq smtp
access-list capin extended permit tcp any eq smtp any
access-list 101 extended permit tcp host 10.1.5.80 any eq smtp  <--- Exchange

access-list 101 extended permit tcp host 10.1.5.91 any eq smtp  <--- Exchange

access-list 101 extended permit tcp host 10.1.5.50 any eq smtp  <--- Ironport

access-list 101 extended deny tcp any any eq smtp
access-list 102 extended permit tcp host 10.1.5.90 any eq smtp  <--- Exchange

Thanks,

Scott

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Scott,

Yes CSC can scan outbound SMTP traffic, it's not best practice since you can easily owerwhelm the module with too much traffic.

Be careful when enabling this feature. You can also try to run smpt inspection on ASA, chances are some malicious traffic will be blocked.

Best practice says, you should only scan inbound SMTP traffic going to your smtp server/relay.

Marcin

View solution in original post

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Scott,

Yes CSC can scan outbound SMTP traffic, it's not best practice since you can easily owerwhelm the module with too much traffic.

Be careful when enabling this feature. You can also try to run smpt inspection on ASA, chances are some malicious traffic will be blocked.

Best practice says, you should only scan inbound SMTP traffic going to your smtp server/relay.

Marcin

Would the outbound SMTP scanning overwhelm just the module or would it bring the firewall to a turtle's pace?

I have a policy map for inspection created but do not think that covers outbound.

match default-inspection-traffic
policy-map type inspect dns preset_dns_map
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect dns preset_dns_map
  inspect esmtp

Scott,

It all depends on volume of traffic.

I'd say, try and if you see performance impact (to all CSC inspected traffic - smtp,pop3,imap,http) remove it.

show conn detail port 25

Will show you what happens with existing connections.

If in doubt about if particular connection is inespected you can use service-policy info. Example:

show service-policy flow tcp host 1.2.2.3 host 1.2.3.4 eq 25

This will tell you what happens to that particular flow (change IPs/ports to whatever you want ;-))

Marcin

Marcin,

  Thank you for all of your suggestions. I really appreciate it.

Scott

Review Cisco Networking for a $25 gift card