cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
852
Views
0
Helpful
1
Replies

Blocking STARTTLS on a PIX 515 (8.0.4)

ngthen
Level 1
Level 1

My service provider just enabled TLS on their end.  Because of this, our scanning appliances do not work correctly are the SMTP channel is encrypted.  Is there a way on the PIX that I can block the STARTTLS SMTP command?  This way I don't have to do anything with my email server or service provider.  I am currently not using "inspect" for SMTP as the default policy was causing issues with my provider.  Can I set up an "inspect" policy that just blocks STARTTLS and nothing else (not even checking anything else)?

1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

On the ASA you allow tls in esmtp inspection, but not actually block it. The inspection will block it by default though.

So you have 2 options:

- enable inspection

- have an IPS or router device with FPM match on the STARTTLS command payload to block it (you need to check where that is) in order to callibrate the method).

I hope it helps.

PK

Review Cisco Networking for a $25 gift card