7-44
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
•
special-character
action
{
drop-connection
[
log
] |
log
}—Identifies the action to take for
messages that include the special characters pipe (|), back quote, and NUL in the sender or
receiver email addresses. You can either drop the connection and optionally log it, or log it.
•
allow-tls
[
action log
]—Whether to allow ESMTP over TLS (encrypted connections) without
inspection. You can optionally log encrypted connections. The default is
no allow-tls
, which
strips the STARTTLS indication from the session connection and forces a plain-text connection.
Example
The following example shows how to define an ESMTP inspection policy map.
hostname(config)# regex user1 “[email protected]”
hostname(config)# regex user2 “[email protected]”
hostname(config)# regex user3 “[email protected]”
hostname(config)# class-map type regex senders_black_list
hostname(config-cmap)# description “Regular expressions to filter out undesired senders”
hostname(config-cmap)# match regex user1
hostname(config-cmap)# match regex user2
hostname(config-cmap)# match regex user3
hostname(config)# policy-map type inspect esmtp advanced_esmtp_map
hostname(config-pmap)# match sender-address regex class senders_black_list
hostname(config-pmap-c)# drop-connection log
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect esmtp advanced_esmtp_map
hostname(config)# service-policy outside_policy interface outside
Configure the ESMTP Inspection Service Policy
The default ASA configuration includes ESMTP inspection applied globally on all interfaces. A
common method for customizing the inspection configuration is to customize the default global policy.
You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Step 1
If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map
name
match
parameter
Example:
hostname(config)# class-map esmtp_class_map
hostname(config-cmap)# match access-list esmtp
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (
match default-inspection-traffic
). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Identify Traffic (Layer 3/4 Class Maps), page 1-13
.
Step 2
Add or edit a policy map that sets the actions to take with the class map traffic.
policy-map
name
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......