How to disable SMTP inspection on a Cisco NGFW via vFMC
I have an ASA-5508x, adminstered by a vFMC. Both are running 6.2.2.1. Note that this is FTD, not the older ASA software.
I have a server behind the 5508, in a DMZ, that I want to have send email via an SMTP connection to Office 365. The problem I am seeing is with the FTD perfoming "SMTP inspection" mangling the SMTP session. This can be seen when I telnet to port25, and see a heap of asterixes. ie
I am trying to figure out how to turn this off. I have checked the rule that is allowing traffic on port 25, configuring NO intrusion policy and NO file policy, but SMTP inspection still seems to be occuring.
How do I disable this, and have SMTP traffic pass unmolested?
It would be preferable if I can do this in a rule, or in some other way make it apply to just a single host, but if it has to be implemted globally that is workable.
I have a server behind the 5508, in a DMZ, that I want to have send email via an SMTP connection to Office 365. The problem I am seeing is with the FTD perfoming "SMTP inspection" mangling the SMTP session. This can be seen when I telnet to port25, and see a heap of asterixes. ie
220 ***************************************************************************************.I am trying to figure out how to turn this off. I have checked the rule that is allowing traffic on port 25, configuring NO intrusion policy and NO file policy, but SMTP inspection still seems to be occuring.
How do I disable this, and have SMTP traffic pass unmolested?
It would be preferable if I can do this in a rule, or in some other way make it apply to just a single host, but if it has to be implemted globally that is workable.
ASKER
Re read the bit of the original question that I bolded. The link you gave is for the ASA firmware. I have no CLI or ADSM.
FTD Might be newer but that does not mean its as feature rich, all FTD management should be done from the FMC, and if what you want isn't there, then the features not added yet. I look after about 3 - 5 thousand Cisco ASA firewalls for various clients and not one of them is running FTD on an ASA5500-X.
P
P
ASKER
Yeah, when we got the 5500 series devices, we had to choose between the older ASA firmware and the newer FTD. At the time, most devices supported either, with some of the newer ones supporting only FTD.
Sure, the ASA is way more common now, but this will change over time, in a few years ASA will probably be the less common choice.
You are certainly correct in saying that the FTD firmware is not yet feature complete, but we plan to keep these devices for at least 5 years.
Sure, the ASA is way more common now, but this will change over time, in a few years ASA will probably be the less common choice.
You are certainly correct in saying that the FTD firmware is not yet feature complete, but we plan to keep these devices for at least 5 years.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
See
Cisco ASA Disable ESMTP Inspection
Pete