I got a call from a customer that said that they could not send out secure emails from their Exchange server from within their company to an outside email address. So me and the engineer that was with me went onsite, since we were close already, and almost immediately the guy that was with me mentioned that he had recently seen this and that he thought that the ASA inspection was blocking this outbound secure email. Well, that jogged my memory as well, and it seems like I have run into that a few times in the past as well. What was the solution?
Console into the Cisco ASA, then do the following:
ciscoasa# config t
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect esmtp
ciscoasa(config-pmap-c)#
I dont recall having to do this for any other firewall except the Cisco ASA. I know I have not for Check Point and Palo Alto. As for any other, Im not sure.
Another option:
ReplyDelete# In ASA version 8.0.3 and later, the allow-tls command is available to allow TLS email with inspect esmtp enabled as shown:
# http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113336-asa83-mailserver-inside.html#esmtp
policy-map type inspect esmtp tls-esmtp
parameters
allow-tls
policy-map global_policy
class inspection_default
inspect esmtp tls-esmtp
service-policy global_policy global
good post Patrick. Thanks.
Delete