Filter
Top Products
24-24
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
SMTP and Extended SMTP Inspection
When the Cisco IP Phones are on a higher security interface compared to the TFTP server and
Cisco CallManager, no access list or static entry is required to allow the Cisco IP Phones to initiate the
connection.
Restrictions and Limitations
Note For specific information about setting up the Phone Proxy on the security appliance, which is part of the
Cisco Unified Communications architecture and supports IP Phone deployment, see Phone Proxy,
page 19-24.
The following are limitations that apply to the current version of PAT and NAT support for SCCP:
• PAT does not work with configurations containing the alias command.
• Outside NAT or PAT is not supported.
If the address of an internal Cisco CallManager is configured for NAT or PAT to a different IP address
or port, registrations for external Cisco IP Phones fail because the security appliance currently does not
support NAT or PAT for the file content transferred over TFTP. Although the security appliance supports
NAT of TFTP messages and opens a pinhole for the TFTP file, the security appliance cannot translate
the Cisco CallManager IP address and port embedded in the Cisco IP Phone configuration files that are
transferred by TFTP during phone registration.
Note The security appliance supports stateful failover of SCCP calls except for calls that are in the middle of
call setup.
SMTP and Extended SMTP Inspection
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting
the types of SMTP commands that can pass through the security appliance and by adding monitoring
capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For
convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The
application inspection process for extended SMTP is similar to SMTP application inspection and
includes support for SMTP sessions. Most commands used in an extended SMTP session are the same
as those used in an SMTP session but an ESMTP session is considerably faster and offers more options
related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for eight extended SMTP commands, including
AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML and VRFY. Along with the support for seven RFC
821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the security appliance supports a
total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, STARTLS, ONEX, VERB, CHUNKING, and private
extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by
the internal server. This results in a message such as “500 Command unknown: 'XXX'.” Incomplete
commands are discarded.
The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for
the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF) characters are ignored.