13-44
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
•
special-character
action
{
drop-connection
[
log
] |
log
}—Identifies the action to take for
messages that include the special characters pipe (|), back quote, and NUL in the sender or
receiver email addresses. You can either drop the connection and optionally log it, or log it.
•
allow-tls
[
action log
]—Whether to allow ESMTP over TLS (encrypted connections) without
inspection. You can optionally log encrypted connections. The default is
no allow-tls
, which
strips the STARTTLS indication from the session connection and forces a plain-text connection.
Example
The following example shows how to define an ESMTP inspection policy map.
hostname(config)# regex user1 “[email protected]”
hostname(config)# regex user2 “[email protected]”
hostname(config)# regex user3 “[email protected]”
hostname(config)# class-map type regex senders_black_list
hostname(config-cmap)# description “Regular expressions to filter out undesired senders”
hostname(config-cmap)# match regex user1
hostname(config-cmap)# match regex user2
hostname(config-cmap)# match regex user3
hostname(config)# policy-map type inspect esmtp advanced_esmtp_map
hostname(config-pmap)# match sender-address regex class senders_black_list
hostname(config-pmap-c)# drop-connection log
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect esmtp advanced_esmtp_map
hostname(config)# service-policy outside_policy interface outside
Configure the ESMTP Inspection Service Policy
The default ASA configuration includes ESMTP inspection applied globally on all interfaces. A
common method for customizing the inspection configuration is to customize the default global policy.
You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map
name
match
parameter
Example:
hostname(config)# class-map esmtp_class_map
hostname(config-cmap)# match access-list esmtp
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (
match default-inspection-traffic
). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Identify Traffic (Layer 3/4 Class Maps), page 11-13
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map
name
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......