11-12-2013 01:19 AM - edited 03-11-2019 08:03 PM
We had a problem with SMTP inspection dropping Emails with attachments(Cisco 2900 IOS 15.1)
Logging shows that the dropping in order to "OOO" segments
I want to skip inspection also reassembly on smtp packets and simply pass them , i've created an access list then i added it to a class map with action pass but after that i stopped to recieve mails completely. (access-list 103 permit tcp any any eq smtp)
class-map type inspect match-any OUTSIDE-INSIDE-SMTP
match access-group 103
This is my configuration
class-map type inspect match-any OUTSIDE-INSIDE-ICMP-REPLY
match access-group 102
class-map type inspect match-any Aruba-Outside
match protocol tcp
match protocol udp
class-map type inspect match-any Inside-Outside
match protocol udp
match protocol tcp
class-map type inspect match-any OUTSIDE-INSIDE-SMTP
match access-group 103
class-map type inspect match-any OUTSIDE-INSIDE
match protocol dns
match protocol http
match protocol https
match protocol ftp
match protocol user-fleet
match protocol ipsec-msft
match protocol isakmp
!
!
policy-map type inspect Aruba-Outside
class type inspect Aruba-Outside
inspect
class class-default
pass
policy-map type inspect Inside-Outside
class type inspect Inside-Outside
inspect
class class-default
pass
policy-map type inspect OUTSIDE-INSIDE
class type inspect OUTSIDE-INSIDE
inspect
class type inspect OUTSIDE-INSIDE-SMTP
pass
class type inspect OUTSIDE-INSIDE-ICMP-REPLY
pass
class class-default
drop
!
zone security IN
zone security OUT
zone security ARUBA
zone-pair security INSIDE/OUTSIDE source IN destination OUT
service-policy type inspect Inside-Outside
zone-pair security OUTSIDE-INSIDE source OUT destination IN
service-policy type inspect OUTSIDE-INSIDE
zone-pair security ARUBA-OUTSIDE source ARUBA destination OUT
service-policy type inspect Aruba-Outside
Solved! Go to Solution.
11-12-2013 01:26 AM
I assume that your ACL 103 hast a permit for TCP/25. Then your policy needs to be changed to inspect:
policy-map type inspect OUTSIDE-INSIDE
class type inspect OUTSIDE-INSIDE-SMTP
inspect
Whith this config, the traffic is only inspected as TCP and nothing is done in the upper layers. Only if you configure a class with a "match protocol ..." statement, a layer7 protocol-inspection is done.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-12-2013 01:26 AM
I assume that your ACL 103 hast a permit for TCP/25. Then your policy needs to be changed to inspect:
policy-map type inspect OUTSIDE-INSIDE
class type inspect OUTSIDE-INSIDE-SMTP
inspect
Whith this config, the traffic is only inspected as TCP and nothing is done in the upper layers. Only if you configure a class with a "match protocol ..." statement, a layer7 protocol-inspection is done.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-12-2013 04:56 AM
Many thanks karsten i really appreciate that answer now i can receive mail with attachments.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide