Why inspect command is disable by default on PIX 7.x

Answered Question
May 29th, 2007

Hi everyone,

I have a question about fixup (PIX 6.x) and inspect (PIX 7.x) command because our customer asked us the following question;

- why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x ?

and

- Do we have to configure inspect command explicitly even if it is disabled by default ?

however I can not clear it. So I posted this question here.

In PIX 7.0, the fixup command has been deprecated and replaced with the inspect command under the Modular Policy Framework (MPF) infrastructure.

I understand that In PIX 6.x, fixup command is enabled by default, however In ASA 7.2, inspect and fixup command are disabled by default. Why I say so is when I configured brand new ASA 5500 version 7.2, I could not find the following MPF commands related to application inspection from the output of show runn command on ASA 7.2.

class-map xxxx

policy-map yyyy

class xxxx

inspect "protocol"

Please note that I think that the Firewall service of ASA 7.2 is the same as the one of PIX 7.x.

So I assume that inspect command is disabled by default also on PIX 7.x.

Unfortunately, I can not prepare PIX 7.x and can not confirm whether inspect command is enabled or disabled by default on PIX 7.x.

I think why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x is due to the following reasons.

- Allows Selective application control based on MPF infrastructure

- Allows to configure Firewall/QoS policy per interface basis whereas fixup command could be configured globally

And I think we should or we have to configure necessary inspect command to do application inspect, though it is disabled by default and it may differ according to the application used.

Is my idea suitable ?

Your any comment would be appreciated.

Best regards,

I have this problem too.
0 votes
Correct Answer by cpembleton about 9 years 6 months ago

I did a wr erase. Rebooted and said no to the automated prompts. I attached the default config which includes the default global inspection policy.

Thanks,

Chad

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cpembleton Wed, 05/30/2007 - 04:30

The default for 7.x is for a basic global

inspection policy to be turned on. Although I have seen some Cisco gear shipped with a different config then the normal default. There is a way to get the actual default config.

-Backup current config

-write erase

-conf t

-clear config all

If you don't see any inspection policy configured then it is off.

Application inspection guide:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080640337.html

This should be the default:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Thanks,

Chad

Please rate if helpful.

srue Wed, 05/30/2007 - 07:46

i just wanted to add a note to this thread...

i'm not sure what the difference is between factory shipped v/s default configuration...

'factory shipped' configuration is easy enough to understand, but is that the default configuration?

if I do a "wr erase" in 7.x and reboot, i have no inpsect commands, so is that the default?

cpembleton Wed, 05/30/2007 - 08:07

According to the Cisco doc the default includes a global inspection policy.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080640337.html#wp1383691

However, the last few devices I have bought came with a different config then the actual default. And when I erased that I had what should be the default.

I have a test pix running 7.x and I will see what that has as the default.

Thanks,

Chad

Correct Answer
cpembleton Thu, 05/31/2007 - 04:57

I did a wr erase. Rebooted and said no to the automated prompts. I attached the default config which includes the default global inspection policy.

Thanks,

Chad

Attachment: 
snakayama Thu, 05/31/2007 - 20:22

Hi,

Thank you very much for your reply and lab work.

I have also tested in my lab with PIX 7.2.2 and ASA 7.2.2. And I got the same result on PIX and ASA as you.

I executed "write erase" command on PIX 7.2.2 and ASA 7.2.2 to get them backed to default configuration and then rebooted them. The following is the result of "sh runn" command after rebooted.

----------

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

----------

Next I executed "clear config all" at configuration mode on both and then confirmed whether inspect command enabled (appeared) from "sh runn" command.

The result was the same as above, because "clear config all" command get running-config backed to factory shipped configuration not startup-config.

However brand new ASA 7.2.2 does not enable inspect command.

I do not know why factory shipped configuration (brand-new configuration) and default configuration are different about the inspect command, however I could understand what kind of case make the inspect command enabled.

Thank you very much for your assistance.

Best regards,

Actions

This Discussion