Sep 032009
 

Per default TLS is not allowed by the application inspection on ASA55x0 and fixup protocol on PIX.

PIX with IOS 6.x even is not capable of handling ESMTP. The only way to enable TLS/ESMTP on an old PIX is to disable the smtp-fixup:

no fixup smtp

On ASA55x0 Systems things are looking better. If you run 7.2(3) or higher you can enable the 250-STARTTLS ESMTP-Command by adding the following policy-map:

policy-map type inspect esmtp esmtp_pmap
parameters
allow-tls [action log]

action log enables the logging of TLS events.

Don’t forget to activate this policy. If you want to enable it on the default global policy type:

policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_pmap
exit

ASA‘s below 7.2(3) have only the option to disable esmtp inspection like this:

policy-map global_policy
class inspection_default
no inspect esmtp
exit

Why is TLS disabled per default?
TLS is an end to end encryption between two MTA’s. The Firewall is not able to inspect any payload of encrypted traffic – so for security reasons TLS will be denied by default.

  One Response to “Allow TLS through ASA / PIX (SMTP fixup/ESMTP application inspection)”

  1. This saved me, very useful. Thank you!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)