Cisco ASA SMTP Inspection Guide for Versions 9.7 and Above

In Cisco ASA versions prior to 9.7, filtering SMTP traffic using regular expressions and L7 class maps was the typical approach. This method allowed you to inspect Layer 7 data to match specific string patterns within SMTP packets. You could use regular expressions to define string patterns, and the system would filter based on those.

However, starting with ASA 9.7, things have significantly changed, offering a more streamlined and efficient way to inspect and filter email traffic. Cisco introduced new features, simplifying the process, while also enhancing security, performance, and management. Below, we’ll walk through how SMTP inspection works post-9.7, including how to achieve the same results that were possible using class maps in older versions.

### What Changed in ASA 9.7?

With the release of ASA 9.7, Cisco brought in several major improvements:

- **More Advanced Application Layer Gateways (ALGs)** for better handling of protocols like SMTP.

- **Simplified Configuration** for inspecting application protocols, including SMTP, by removing the need for manual regular expressions for every inspection.

- **Unified Layer 7 Policies** for easier control over traffic inspection.

### SMTP Inspection in Post-9.7 ASA

SMTP (Simple Mail Transfer Protocol) is one of the most critical protocols for network security due to its role in email transfer. To protect your network from email-based threats (like spam, malware, and phishing), inspecting SMTP traffic is essential. Cisco ASA’s enhanced Application Inspection and Control (AIC) feature allows you to inspect and manage SMTP traffic more effectively.

#### The New SMTP Inspection Process

In ASA post-9.7, you no longer have to rely on class maps and regular expressions to inspect SMTP traffic. The system now provides **built-in SMTP inspection**, which simplifies the process. Here’s how SMTP inspection works and how you can configure it.

1. **Enable SMTP Inspection**: ASA includes an SMTP application layer gateway (ALG), which examines SMTP traffic at Layer 7, inspecting email messages and preventing malicious content from entering or leaving your network.

2. **Simplified Regular Expression Handling**: In pre-9.7 versions, you'd manually define regular expressions to match patterns in SMTP headers or body. Now, the inspection engine handles most of this automatically, filtering common threats like email-based exploits or malformed headers. However, you can still define custom regex patterns if necessary, but for most cases, the built-in inspection suffices.

3. **TLS Inspection Support**: In the past, inspecting encrypted email traffic required separate solutions. Post-9.7 ASA can handle encrypted traffic (like SMTPS) using **SSL/TLS inspection**, making it easier to secure mail servers.

### Steps to Enable and Configure SMTP Inspection in ASA Post-9.7

Here’s a practical example of configuring SMTP inspection in a modern ASA setup.

#### 1. Enable Basic SMTP Inspection

First, you need to enable SMTP inspection on your ASA. This can be done through the command line or via the ASDM (Adaptive Security Device Manager).

- **From the CLI**:

  

  policy-map global_policy

   class inspection_default

    inspect smtp

  

This command enables SMTP inspection globally. The system will now inspect SMTP traffic for common threats and filter them out.

- **From ASDM**:

  - Go to **Configuration > Firewall > Service Policy Rules**.

  - Choose the global policy (or create a new one).

  - Under **Rule Actions**, enable **SMTP Inspection**.

#### 2. Fine-Tuning SMTP Inspection

While the default settings should work for most organizations, you can customize SMTP inspection to meet your needs. You can block specific email commands or inspect traffic in more detail using the `inspect smtp` command with advanced options.

For example, to disable certain SMTP commands that are often used in attacks, such as `EXPN` and `VRFY`, you can modify the inspection settings:

policy-map global_policy

 class inspection_default

  inspect smtp eol discard

This command will discard any packets containing the `EXPN` or `VRFY` commands, which can help prevent spammers from verifying email addresses.

#### 3. Handling TLS/SSL-encrypted SMTP (SMTPS)

To inspect encrypted email traffic, you’ll need to enable SSL inspection:

- **Create an SSL policy**:

  

  ssl policy ssl_policy

   inspect ftp

   inspect smtp

   inspect https

  

- **Apply the SSL policy to your traffic**:

  

  policy-map global_policy

   class inspection_default

    ssl policy ssl_policy

  

This allows the ASA to decrypt, inspect, and then re-encrypt SMTP traffic that is secured with SSL/TLS.

### Sender Address Filtering

In older versions, matching sender addresses involved setting up L7 class maps with regular expressions. With ASA 9.7 and later, this process has been streamlined, but you still have the option to customize filtering based on the sender.

For example, if you want to inspect emails based on the sender address, you can use custom regex filters or an external mail security appliance to block known spammers or filter suspicious domains.

Here’s an example of matching a specific sender domain using regex:

regex match_sender ^.*@maliciousdomain.com$

policy-map global_policy

 class inspection_default

  match regex match_sender smtp-request HELO

  drop log

In this example, any email from "maliciousdomain.com" would be dropped and logged.

### Conclusion

Cisco ASA post-9.7 greatly simplifies SMTP inspection, making it easier to secure your network while still providing flexibility for custom configurations when needed. The built-in SMTP inspection handles most threats automatically, but you can still fine-tune settings for advanced filtering, including sender address matching and SSL/TLS traffic inspection.

If you’re migrating from an older ASA version, you’ll find that the new approach requires less manual intervention, freeing up resources and reducing the chances of configuration errors. It’s a more powerful, yet simpler, solution to keep your email traffic secure.

Configuring Custom SMTP Inspection on Cisco ASA (Post-9.7)

Securing SMTP Traffic on Cisco ASA (Post 9.7)

In today’s email-driven world, securing your mail server is critical. SMTP is a frequent attack vector for spam, phishing, and DoS attempts. Starting with Cisco ASA 9.7, SMTP inspection configuration has become simpler, more flexible, and easier to manage using Layer-7 policy maps.

📧 SMTP Inspection Overview ➕

SMTP (Simple Mail Transfer Protocol) forms the backbone of email delivery but is also widely abused. With proper inspection, Cisco ASA can:

• Limit SMTP command usage
• Block risky commands like VRFY and EXPN
• Protect mail servers from abuse and DoS attacks

Before ASA 9.7, SMTP inspection relied on class maps and service policies. Now, everything can be configured directly inside an L7 inspection policy.

Step 1️⃣ Disable Default SMTP Inspection ➕

Cisco ASA enables SMTP inspection by default. To apply a custom policy, you must first disable the default rule to avoid conflicts.

policy-map global_policy class inspection_default no inspect esmtp

Why? Default inspection overrides custom rules if left enabled.

Step 2️⃣ Create an L7 SMTP Policy Map ➕

Starting with ASA 9.7, SMTP inspection is configured directly using an L7 policy map.

policy-map type inspect esmtp custom_smtp_policy

This policy will hold all SMTP command restrictions and limits.

Step 3️⃣ Control SMTP Commands & Limits ➕

Certain SMTP commands can be abused for reconnaissance and enumeration.

parameters no allow-vrfy no allow-expn

You can also protect against DoS attacks by limiting recipients per session:

limit recipients 100

Step 4️⃣ Apply SMTP Inspection Globally ➕

Match SMTP traffic and apply the inspection globally.

class-map smtp_class match port tcp eq 25

policy-map global_policy class smtp_class inspect esmtp custom_smtp_policy

Step 5️⃣ Verify SMTP Inspection ➕

Confirm that the SMTP inspection policy is active:

show service-policy inspect esmtp

✅ Conclusion ➕

Cisco ASA 9.7 introduced a cleaner and more powerful way to manage SMTP inspection. By disabling default inspection and applying a custom L7 policy, administrators gain precise control over SMTP behavior.

This approach enhances security, reduces attack surface, and allows rapid adaptation to evolving email threats.

💡 Key Takeaways

• SMTP is a common attack vector and must be inspected
• ASA 9.7 simplifies SMTP inspection using L7 policy maps
• Default inspection must be disabled for custom rules
• Blocking VRFY/EXPN reduces reconnaissance risks
• Command limits protect against DoS attacks

Interactive Cisco ASA SMTP Inspection Guide

Advanced SMTP Inspection on Cisco ASA Post-9.7: A Focused Approach

📧 SMTP Inspection in Cisco ASA 9.7+ – Complete Deep-Dive Guide

📑 Table of Contents

• Introduction
• What is SMTP Inspection?
• Legacy ASA Behavior (Pre-9.7)
• ASA 9.7+ Enhancements
• Underlying Logic & Traffic Flow
• Step-by-Step Configuration
• CLI Output & Verification
• Best Practices
• Key Takeaways
• Related Articles

---

🚀 Introduction

SMTP inspection plays a critical role in protecting enterprise email infrastructure. Firewalls like Cisco ASA act as the first line of defense, ensuring that malicious payloads, malformed commands, and protocol violations are stopped before reaching internal mail servers.

💡 Core Objective: Inspect only the traffic that matters — not everything.

---

📨 What is SMTP Inspection?

SMTP (Simple Mail Transfer Protocol) is used to send emails across networks. However, because it's text-based and widely exposed, it is a common attack vector.

What ASA Checks During Inspection:

• Malformed SMTP commands
• Protocol violations
• Buffer overflow attempts
• Spam-related anomalies

---

⏳ Legacy ASA Behavior (Pre-9.7)

Before version 9.7, SMTP inspection was globally enforced using the default policy.

policy-map global_policy
 class inspection_default
  inspect smtp

This meant:

• All SMTP traffic was inspected
• No host-level granularity
• Performance overhead

⚠️ Why This Was a Problem

Global inspection could unnecessarily process trusted traffic, leading to latency and wasted resources.

---

⚡ ASA 9.7+ Enhancements

Cisco introduced interface-level and policy-based inspection.

Feature	Benefit
Granular Policies	Inspect specific flows only
Interface Binding	Apply policies where needed
Custom Class Maps	Match precise traffic

💡 Key Shift: From global inspection → targeted inspection

---

📐 Underlying Logic & Traffic Flow

While not purely mathematical, inspection follows logical matching conditions:

IF (source == Host A AND destination == Host B AND port == 25)
THEN apply SMTP inspection

Conceptually:

Inspection = f(ACL_match, Class_map, Policy_map)

📖 Deeper Explanation

Traffic first matches an ACL → then class map → then policy map → finally applied at interface level. Each layer acts as a filter, reducing unnecessary inspection.

---

⚙️ Step-by-Step Configuration

1. Disable Global SMTP Inspection

policy-map global_policy
 class inspection_default
  no inspect smtp

2. Create ACL

access-list SMTP_INSPECTION extended permit tcp host 192.168.1.10 host 192.168.2.20 eq 25

3. Create Class Map

class-map SMTP_INSPECTION_CLASS
 match access-list SMTP_INSPECTION

4. Create Policy Map

policy-map SMTP_INSPECTION_POLICY
 class SMTP_INSPECTION_CLASS
  inspect smtp

5. Apply to Interface

service-policy SMTP_INSPECTION_POLICY interface inside

---

🖥 CLI Output & Verification

Verification Command

show service-policy inspect smtp

Sample Output

Global policy:
  Class inspection_default
    Inspect: smtp, packet 0, drop 0

Interface inside:
  Class SMTP_INSPECTION_CLASS
    Inspect: smtp, packet 1520, drop 3

📊 Output Breakdown

• packet: number of inspected packets
• drop: blocked malicious packets

---

🛠 Best Practices

• Disable unnecessary global inspections
• Use ACLs for precise targeting
• Monitor logs regularly
• Test policies in staging before deployment
• Avoid over-inspection for trusted internal traffic

---

🎯 Key Takeaways

• ASA 9.7 introduced granular inspection control
• Global SMTP inspection is no longer ideal
• Policy-based inspection improves performance
• ACL + Class Map + Policy Map = Full control

---

📌 Final Thoughts

The shift introduced in ASA 9.7 is not just a feature upgrade — it’s a mindset change. Instead of applying security broadly, modern firewall strategies focus on precision.

By implementing targeted SMTP inspection, you reduce load, improve performance, and maintain strong security posture.