13-44
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
• special-character action {drop-connection [log] | log}—Identifies the action to take for
messages that include the special characters pipe (|), back quote, and NUL in the sender or
receiver email addresses. You can either drop the connection and optionally log it, or log it.
• allow-tls [action log]—Whether to allow ESMTP over TLS (encrypted connections) without
inspection. You can optionally log encrypted connections. The default is no allow-tls, which
strips the STARTTLS indication from the session connection and forces a plain-text connection.
Example
The following example shows how to define an ESMTP inspection policy map.
hostname(config)# regex user1 “user1@cisco.com”
hostname(config)# regex user2 “user2@cisco.com”
hostname(config)# regex user3 “user3@cisco.com”
hostname(config)# class-map type regex senders_black_list
hostname(config-cmap)# description “Regular expressions to filter out undesired senders”
hostname(config-cmap)# match regex user1
hostname(config-cmap)# match regex user2
hostname(config-cmap)# match regex user3
hostname(config)# policy-map type inspect esmtp advanced_esmtp_map
hostname(config-pmap)# match sender-address regex class senders_black_list
hostname(config-pmap-c)# drop-connection log
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect esmtp advanced_esmtp_map
hostname(config)# service-policy outside_policy interface outside
Configure the ESMTP Inspection Service Policy
The default ASA configuration includes ESMTP inspection applied globally on all interfaces. A
common method for customizing the inspection configuration is to customize the default global policy.
You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map esmtp_class_map
hostname(config-cmap)# match access-list esmtp
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (match default-inspection-traffic). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 11-13.
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map name
To Next Page
Loading...
Need help?
General