Nov 032010

show running won’t show you any pre-shared-keys for tunnels, aaa-server keys and failover keys in cleartext. You will only see things like:

failover key *****

aaa-server authserver (inside) host
key *****

tunnel-group clients ipsec-attributes
pre-shared-key *****

simply use the more system:running-config-command to show all your keys uncrypted.

 Posted by at 11:22
Sep 032009

Per default TLS is not allowed by the application inspection on ASA55x0 and fixup protocol on PIX.

PIX with IOS 6.x even is not capable of handling ESMTP. The only way to enable TLS/ESMTP on an old PIX is to disable the smtp-fixup:

no fixup smtp

On ASA55x0 Systems things are looking better. If you run 7.2(3) or higher you can enable the 250-STARTTLS ESMTP-Command by adding the following policy-map:

policy-map type inspect esmtp esmtp_pmap
allow-tls [action log]

action log enables the logging of TLS events.

Don’t forget to activate this policy. If you want to enable it on the default global policy type:

policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_pmap

ASA‘s below 7.2(3) have only the option to disable esmtp inspection like this:

policy-map global_policy
class inspection_default
no inspect esmtp

Why is TLS disabled per default?
TLS is an end to end encryption between two MTA’s. The Firewall is not able to inspect any payload of encrypted traffic – so for security reasons TLS will be denied by default.