I have a question about fixup (PIX 6.x) and inspect (PIX 7.x) command because our customer asked us the following question;
- why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x ?
- Do we have to configure inspect command explicitly even if it is disabled by default ?
however I can not clear it. So I posted this question here.
In PIX 7.0, the fixup command has been deprecated and replaced with the inspect command under the Modular Policy Framework (MPF) infrastructure.
I understand that In PIX 6.x, fixup command is enabled by default, however In ASA 7.2, inspect and fixup command are disabled by default. Why I say so is when I configured brand new ASA 5500 version 7.2, I could not find the following MPF commands related to application inspection from the output of show runn command on ASA 7.2.
Please note that I think that the Firewall service of ASA 7.2 is the same as the one of PIX 7.x.
So I assume that inspect command is disabled by default also on PIX 7.x.
Unfortunately, I can not prepare PIX 7.x and can not confirm whether inspect command is enabled or disabled by default on PIX 7.x.
I think why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x is due to the following reasons.
- Allows Selective application control based on MPF infrastructure
- Allows to configure Firewall/QoS policy per interface basis whereas fixup command could be configured globally
And I think we should or we have to configure necessary inspect command to do application inspect, though it is disabled by default and it may differ according to the application used.
Is my idea suitable ?
Your any comment would be appreciated.
I did a wr erase. Rebooted and said no to the automated prompts. I attached the default config which includes the default global inspection policy.