How to avoid SMTP inspection on zone based firewall?

mbesim · ‎08-03-2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).

The original configuration, made using CCP, was:

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.1.111

class-map type inspect match-all sdm-nat-smtp-1

match access-group 102

match protocol smtp

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-smtp-1

inspect

....

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

Here is how to avoid this inspection:

no access-list 102

access-list 102 remark CCP_ACL Category=0

access-list 102 permit tcp any host 192.168.1.111 eq 25

class-map type inspect match-all sdm-nat-smtp-1

no match protocol smtp

match protocol tcp

Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

Hope this will help somebody.

Parminder Sian · ‎08-23-2011

Hi,

Great info, Here's another link on ZBF that i find quite interesting:-

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1084274

Hope this one helps as well,

Also, as i said you posted great info, in future please add such valuable info to a Doc rather then discussion. Creating a doc will give this info more visibility.

Thanks

Sian

chiefarchitectinc · ‎01-11-2013

I had a very similar problem with an 881w router and the CCP-created firewall. It was preventing SMTP sessions that delivered messages with attachments of 2mb or more in size. These steps fixed that problem.

awinslade · ‎10-28-2014

I am having the same issue with 15.2.

Avoiding the SMTP engine does not seem to me like a fix more of a work around...

Does anyone know the root cause of this or a better fix