Friday, February 13, 2009

Cisco Firewall disabling TLS initiation by default

I have found my Cisco ASA 5510 is masking out STARTTLS initiation because of the SMTP packet inspection. This is enabled by default.

How to enable the firewall to start TLS on ESMTP sessions;

Option one;
policy-map type inspect esmtp esmtp_map
allow-tls [action log]
Option two;
no fixup protocol smtp 25
(fixup command is an obsolete command used in Cisco IOS version 6 and earlier, I'm having IOS 8.0(4) but fixup is working for me too)


Alex said...

thank you, this proves i'm not crazy ;)

Mohsen Ansari said...

That really is the solution to the problem. Thanks for your thoughts.