Shawn,
Thank you for correcting me. I have too many things going thru my mind right nowJ. I'm an idiot. What you have said is spot on. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Shawn H Mesiatowsky Sent: Wednesday, September 30, 2009 3:04 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] ESMTP inspection in ASA class-map type inspect esmtp has never been available. You must use the policy-map type inspect esmtp. policy-map type inspect esmtp smtp_inspection match body length gt 4000 reset policy-map global_policy class inspection_default inspect emstp smtp_inspection When you try to use a class for application inspection, this is for matching multiple items for a specific application inspection. There is currently no class-map type inspect esmtp but there is a policy-map. This just means that you cannot have a match on several items at once. For instance, if you wanted to match body length AND a the method type before reseting the connection, you cannot. In the policy-map, you can only define one match at a time. A better example is http inspection, as it supports class-maps for instance policy-map type inspect http http_inspection match request body length gt 4000 reset match request method post reset policy-map global_policy class inspection_default inspect http http_inspection this will drop any request with a body length gt 2000 "OR" method post. The following config has to match both to reset the connection, meaning that the request must be gt 2000 "AND" method post class-map type inspect http match-all class_http_inspection match request body length gt 2000 match request method post policy-map type inspect http http_inspection class class_http_inspection reset policy-map global_policy class inspection_default inspect http http_inspection Hope this clarifies the use of class-map type inspects on the ASA _____ From: [email protected] [mailto:[email protected]] On Behalf Of Tyson Scott Sent: Sunday, September 27, 2009 7:36 PM To: ''Segun Daini'; 'Kingsley Charles' Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ESMTP inspection in ASA Hmm, Guess that makes it kindof hard to do Lab2A and 2B. Crap man. This stuff is killing me. 8.0(4) Does have the eSMTP inspection protocol support. What do you pick the bugs in 8.0(4) or the missing protocols in 8.2. My hands are up in the air. Segun, ZBF most definitely supports eSMTP inspection. FPM is not really an inspection tool. But you could create an XML template for FPM to match SMTP packets most definitely. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of 'Segun Daini Sent: Sunday, September 27, 2009 10:00 AM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ESMTP inspection in ASA Hi King, I see it now. There's no "class-map type inspect" for it but there's "policy-map type inspect". oj-gprsfw(config)# policy-map type inspect ? configure mode commands/options: dcerpc Configure a policy-map of type DCERPC dns Configure a policy-map of type DNS esmtp Configure a policy-map of type ESMTP ftp Configure a policy-map of type FTP gtp Configure a policy-map of type GTP h323 Configure a policy-map of type H.323 http Configure a policy-map of type HTTP im Configure a policy-map of type IM ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU mgcp Configure a policy-map of type MGCP netbios Configure a policy-map of type NETBIOS radius-accounting Configure a policy-map of type Radius Accounting rtsp Configure a policy-map of type RTSP sip Configure a policy-map of type SIP skinny Configure a policy-map of type Skinny Regards. _____ From: 'Segun Daini <[email protected]> To: Kingsley Charles <[email protected]> Cc: [email protected] Sent: Sunday, September 27, 2009 2:49:39 PM Subject: Re: [OSL | CCIE_Security] ESMTP inspection in ASA Hmmm...i dont see the command on my box...its even in the 8.2 doc. Regards _____ From: Kingsley Charles <[email protected]> To: 'Segun Daini <[email protected]> Cc: [email protected] Sent: Sunday, September 27, 2009 2:40:59 PM Subject: Re: [OSL | CCIE_Security] ESMTP inspection in ASA Hi Segun Please checkout http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspe ct.html With regards Kings On Sun, Sep 27, 2009 at 7:07 PM, 'Segun Daini <[email protected]> wrote: Hi King, There's no application inspection for esmtp/smtp currently. Not even with FPM on IOS. Regards. _____ From: Kingsley Charles <[email protected]> To: [email protected] Sent: Sunday, September 27, 2009 2:31:36 PM Subject: [OSL | CCIE_Security] ESMTP inspection in ASA Hi I have 8.2 in my ASA and it doesn't have "esmtp inspection" support. Any idea? ciscoasa(config)# class-map type inspect ? configure mode commands/options: dns Configure a class-map of type DNS ftp Configure a class-map of type FTP h323 Configure a class-map of type H323 http Configure a class-map of type HTTP im Configure a class-map of type IM rtsp Configure a class-map of type RTSP sip Configure a class-map of type SIP With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
