Solved: Basic CSC question for ASA5520

Scott Payne · ‎01-05-2011

Good morning!

We have been having issues with some email accounts that seem to be sending out spam mail on the SMTP port when the computer has been infected.These emails are not going through our Ironport and we are having touble locating the source. The config that I have written forces all SMTP traffic through the Ironport and there is a deny statement after the access-lists that have been created. That being written, we have become black listed on several occasions. Can the CSC module scan outbound traffic going through eq 25 or does it only look at inbound traffic?

Please let me know if the CSC can scan outbound email. I want to try to use every option available to keep this from happening.

Partial Config (my notes are in bold)

access-list outside extended permit tcp any host 10.1.5.50 eq smtp <--- Ironport
access-list outside extended permit tcp any host 10.1.5.80 eq smtp <--- Exchange
access-list outside extended permit udp any any eq domain
access-list outside extended permit tcp any any eq www
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq pptp
access-list outside extended permit tcp any host 10.1.5.90 eq smtp <--- Exchange

access-list outside extended permit tcp any host 10.1.5.91 eq smtp <--- Exchange

access-list outside extended deny tcp any any eq smtp
access-list capin extended permit tcp any any eq smtp
access-list capin extended permit tcp any eq smtp any
access-list 101 extended permit tcp host 10.1.5.80 any eq smtp <--- Exchange

access-list 101 extended permit tcp host 10.1.5.91 any eq smtp <--- Exchange

access-list 101 extended permit tcp host 10.1.5.50 any eq smtp <--- Ironport

access-list 101 extended deny tcp any any eq smtp
access-list 102 extended permit tcp host 10.1.5.90 any eq smtp <--- Exchange

Thanks,

Scott

Marcin Latosiewicz · ‎01-05-2011

Scott,

Yes CSC can scan outbound SMTP traffic, it's not best practice since you can easily owerwhelm the module with too much traffic.

Be careful when enabling this feature. You can also try to run smpt inspection on ASA, chances are some malicious traffic will be blocked.

Best practice says, you should only scan inbound SMTP traffic going to your smtp server/relay.

Marcin

View solution in original post

Marcin Latosiewicz · ‎01-05-2011

Scott,

Yes CSC can scan outbound SMTP traffic, it's not best practice since you can easily owerwhelm the module with too much traffic.

Be careful when enabling this feature. You can also try to run smpt inspection on ASA, chances are some malicious traffic will be blocked.

Best practice says, you should only scan inbound SMTP traffic going to your smtp server/relay.

Marcin

Scott Payne · ‎01-05-2011

Would the outbound SMTP scanning overwhelm just the module or would it bring the firewall to a turtle's pace?

I have a policy map for inspection created but do not think that covers outbound.

match default-inspection-traffic
policy-map type inspect dns preset_dns_map
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect dns preset_dns_map
inspect esmtp

Marcin Latosiewicz · ‎01-05-2011

Scott,

It all depends on volume of traffic.

I'd say, try and if you see performance impact (to all CSC inspected traffic - smtp,pop3,imap,http) remove it.

show conn detail port 25

Will show you what happens with existing connections.

If in doubt about if particular connection is inespected you can use service-policy info. Example:

show service-policy flow tcp host 1.2.2.3 host 1.2.3.4 eq 25

This will tell you what happens to that particular flow (change IPs/ports to whatever you want ;-))

Marcin

Scott Payne · ‎01-05-2011

Marcin,

Thank you for all of your suggestions. I really appreciate it.

Scott