13-19
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 13 Configuring Application Protocol Inspection
Detailed Information About Inspection Engines
Problems with Fragmented Skinny Packets
The FWSM does not correctly handle fragmented Skinny packets. For instance, when using a voice
conferencing bridge, Skinny packets might become fragmented and are then dropped by the FWSM. This
happens because the Skinny inspection engine checks each packet and drops what appear to be bad
packets. When a single Skinny packet is fragmented into multiple TCP packets, the Skinny inspection
engine finds that the internal checksums within the Skinny packet fragments are not correct and so it
drops the packet.
SMTP Inspection Engine
Enabled by default for TCP port 25
The SMTP inspection engine enables the Mail Guard feature. This restricts mail servers to receiving the
seven minimal commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET,
NOOP, and QUIT). All other commands are rejected.
Microsoft Exchange server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP
commands such as EHLO. The FWSM converts any such commands into NOOP commands, which as
specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This
might cause Microsoft Outlook clients and Exchange servers to function unpredictably when their
connection passes through FWSM. In this case, you might want to disable the SMTP inspection engine,
although the Mail Guard feature does provide valuable protection.
To configure the SMTP inspection engine, enter the following command:
FWSM/contexta(config)# fixup protocol smtp [
port
[-
port
]]
The default port is 25 (TCP).
An SMTP server responds to client requests with numeric reply codes and optional human-readable
strings. The SMTP inspection engine controls and reduces the commands that the user can use as well
as the messages that the server returns. The SMTP inspection engine performs three primary tasks:
• Restricts SMTP requests to seven minimal commands (HELO, MAIL, RCPT, DATA, RSET, NOOP,
and QUIT).
• Changes the characters in the server SMTP banner to asterisks except for the “2”, “0”, “0”
characters. Carriage return (CR) and linefeed (LF) characters are ignored.
• Monitors the SMTP command-response sequence.
• Generates an audit trail—Audit record 108002 is generated when an invalid character embedded in
t
he mail address is replaced. For more information, see RFC 821.
The SMTP inspection engine monitors the command and response sequence for the following
anomalous
signatures:
• Truncated commands.
• Incorrect command termination (not terminated with <CR><LR>).
• The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail
addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank
space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded
by “<”).
To Next Page
Loading...
Need help?
General