11-52
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 11 Configuring Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP
control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC
1701, RFC 1702].
Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response
sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP
control channel is disabled if the version announced by either side is not Version 1. In addition, the
outgoing-call request and reply sequence are tracked. Connections and xlates are dynamic allocated as
necessary to permit subsequent secondary GRE data traffic.
The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT
is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP
TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and
RFC 1702).
As described in RFC 2637, the PPTP protocol is mainly used for the tunneling of PPP sessions initiated
from a modem bank PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server).
When used this way, the PAC is the remote client and the PNS is the server.
However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user
PC that initiates connection to the head-end PAC to gain access to a central network.
SMTP and Extended SMTP Inspection
This section describes the IM inspection engine. This section includes the following topics:
• SMTP and ESMTP Inspection Overview, page 11-52
• Select ESMTP Map, page 11-53
• ESMTP Inspect Map, page 11-54
• MIME File Type Filtering, page 11-55
• Add/Edit ESMTP Policy Map (Security Level), page 11-55
• Add/Edit ESMTP Policy Map (Details), page 11-56
• Add/Edit ESMTP Inspect, page 11-57
SMTP and ESMTP Inspection Overview
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting
the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For
convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The
application inspection process for extended SMTP is similar to SMTP application inspection and
includes support for SMTP sessions. Most commands used in an extended SMTP session are the same
as those used in an SMTP session but an ESMTP session is considerably faster and offers more options
related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for these extended SMTP commands, including
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for
seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total
of fifteen SMTP commands.