Configure The Esmtp Inspection Service Policy - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
SMTP and Extended SMTP Inspection
Example
The following example shows how to define an ESMTP inspection policy map.
hostname(config)# regex user1 "user1@cisco.com"
hostname(config)# regex user2 "user2@cisco.com"
hostname(config)# regex user3 "user3@cisco.com"
hostname(config)# class-map type regex senders_black_list
hostname(config-cmap)# description "Regular expressions to filter out undesired senders"
hostname(config-cmap)# match regex user1
hostname(config-cmap)# match regex user2
hostname(config-cmap)# match regex user3
hostname(config)# policy-map type inspect esmtp advanced_esmtp_map
hostname(config-pmap)# match sender-address regex class senders_black_list
hostname(config-pmap-c)# drop-connection log
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect esmtp advanced_esmtp_map
hostname(config)# service-policy outside_policy interface outside
Configure the ESMTP Inspection Service Policy
The default ASA configuration includes ESMTP inspection applied globally on all interfaces. A
common method for customizing the inspection configuration is to customize the default global policy.
You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
Step 1
class-map name
match parameter
Example:
hostname(config)# class-map esmtp_class_map
hostname(config-cmap)# match access-list esmtp
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (match default-inspection-traffic). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Add or edit a policy map that sets the actions to take with the class map traffic.
Step 2
policy-map name
Cisco ASA Series Firewall CLI Configuration Guide
13-44
special-character action {drop-connection [log] | log}—Identifies the action to take for
•
messages that include the special characters pipe (|), back quote, and NUL in the sender or
receiver email addresses. You can either drop the connection and optionally log it, or log it.
allow-tls [action log]—Whether to allow ESMTP over TLS (encrypted connections) without
•
inspection. You can optionally log encrypted connections. The default is no allow-tls, which
strips the STARTTLS indication from the session connection and forces a plain-text connection.
Chapter 13
Identify Traffic (Layer 3/4 Class Maps), page
Inspection of Basic Internet Protocols
11-13.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
