- Method line length greater than 512 bytes
- More than 100 recipient email addresses set
- Body line length greater than 998 bytes
- Header line length greater than 998 bytes
- Sender email address length greater than 320 bytes
- Mime filename length greater than 255 bytes
Example:
Source Server: 192.168.0.1Destination Server: 172.16.0.1
In order to bypass the inspection without disable it, we have to implement the policy below. Before to implement the new policy, we must save the existing default policy since we need to remove and add it again to have the new one above it.
1) Get existing policy:
# sh run policy-map global_policy
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
2) Implement new policy:
access-list smtp_bypass extended permit tcp host 192.168.0.1 host 172.16.0.1 eq smtp
!
policy-map type inspect esmtp smtp_bypass
parameters
no mask-banner
match sender-address length gt 320
log
match mime filename length gt 255
log
match cmd line length gt 512
log
match cmd rcpt count gt 100
log
match body line length gt 998
log
!
class-map smtp_bypass
description Matches SMTP traffic and bypass global policy
match access-list smtp_bypass
!
policy-map global_policy
no class inspection_default
class smtp_bypass
inspect esmtp smtp_bypass
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
We can also use similar configuration to bypass other type of inspection.
asa(config)# end
asa# wr mem
No comments:
Post a Comment