ASA Service Policy SMTP

Home Forums Networking Cisco Security – PIX/ASA/VPN ASA Service Policy SMTP

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    marcopolo
    Member
    #156135

    We have a Service Policy rule setup (not by ourselves) but we don’t think it’s working. Basically we want to restrict how much bandwidth the Server that is used to send external emails utilises. Whenever someone sends a large email (e.g. 700k) to an external list (200 recipients) it’s impacting on Browsing, general network access and Remote users. We see the outside interface hitting peaks at 8/9mb for extended periods of time and we really need to get this sorted.

    Here’s a crude copy/paste of the Policy in question.

    outside-class1 1 True Match EmailServerOut any tcp/smtp class outside-class1
    police input 1024000 1500 conform-action transmit exceed-action drop
    police output 1024000 1500 conform-action transmit exceed-action drop
    class-map outside-class1 description match acl=outside_mpc match port=null

    It looks ok but just doesn’t seem to do anything. One observation is there are no settings in the Protocol inspection area (is that right) and unlike the FTP inspect I configured, but since my knowledge of Cisco OS configurations in limited i’m somewhat stuck.

    …and a result of the command: “show service-policy”

    Global policy:
    Service-policy: asa_global_fw_policy
    Class-map: inspection_default
    Inspect: ftp, packet 309763, drop 0, reset-drop 0

    Interface outside:
    Service-policy: outside-policy1
    Class-map: outside-class1
    Input police Interface outside:
    cir 1024000 bps, bc 1500 bytes
    conformed 0 packets, 0 bytes; actions: transmit
    exceeded 0 packets, 0 bytes; actions: drop
    conformed 0 bps, exceed 0 bps
    Output police Interface outside:
    cir 1024000 bps, bc 1500 bytes
    conformed 0 packets, 0 bytes; actions: transmit
    exceeded 0 packets, 0 bytes; actions: drop
    conformed 0 bps, exceed 0 bps
    Class-map: outside-class2
    Input police Interface outside:
    cir 2048000 bps, bc 1500 bytes
    conformed 0 packets, 0 bytes; actions: transmit
    exceeded 0 packets, 0 bytes; actions: drop
    conformed 0 bps, exceed 0 bps
    Output police Interface outside:
    cir 2048000 bps, bc 1500 bytes
    conformed 55176 packets, 42347975 bytes; actions: transmit
    exceeded 0 packets, 0 bytes; actions: drop
    conformed 0 bps, exceed 0 bps

    I’d appreciate any guideane or ideas.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.