05-29-2007 10:50 PM - edited 03-11-2019 03:22 AM
Hi everyone,
I have a question about fixup (PIX 6.x) and inspect (PIX 7.x) command because our customer asked us the following question;
- why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x ?
and
- Do we have to configure inspect command explicitly even if it is disabled by default ?
however I can not clear it. So I posted this question here.
In PIX 7.0, the fixup command has been deprecated and replaced with the inspect command under the Modular Policy Framework (MPF) infrastructure.
I understand that In PIX 6.x, fixup command is enabled by default, however In ASA 7.2, inspect and fixup command are disabled by default. Why I say so is when I configured brand new ASA 5500 version 7.2, I could not find the following MPF commands related to application inspection from the output of show runn command on ASA 7.2.
class-map xxxx
policy-map yyyy
class xxxx
inspect "protocol"
Please note that I think that the Firewall service of ASA 7.2 is the same as the one of PIX 7.x.
So I assume that inspect command is disabled by default also on PIX 7.x.
Unfortunately, I can not prepare PIX 7.x and can not confirm whether inspect command is enabled or disabled by default on PIX 7.x.
I think why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x is due to the following reasons.
- Allows Selective application control based on MPF infrastructure
- Allows to configure Firewall/QoS policy per interface basis whereas fixup command could be configured globally
And I think we should or we have to configure necessary inspect command to do application inspect, though it is disabled by default and it may differ according to the application used.
Is my idea suitable ?
Your any comment would be appreciated.
Best regards,
Solved! Go to Solution.
05-31-2007 04:57 AM
I did a wr erase. Rebooted and said no to the automated prompts. I attached the default config which includes the default global inspection policy.
Thanks,
Chad
05-30-2007 04:30 AM
The default for 7.x is for a basic global
inspection policy to be turned on. Although I have seen some Cisco gear shipped with a different config then the normal default. There is a way to get the actual default config.
-Backup current config
-write erase
-conf t
-clear config all
If you don't see any inspection policy configured then it is off.
Application inspection guide:
This should be the default:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Thanks,
Chad
Please rate if helpful.
05-30-2007 07:46 AM
i just wanted to add a note to this thread...
i'm not sure what the difference is between factory shipped v/s default configuration...
'factory shipped' configuration is easy enough to understand, but is that the default configuration?
if I do a "wr erase" in 7.x and reboot, i have no inpsect commands, so is that the default?
05-30-2007 08:07 AM
According to the Cisco doc the default includes a global inspection policy.
However, the last few devices I have bought came with a different config then the actual default. And when I erased that I had what should be the default.
I have a test pix running 7.x and I will see what that has as the default.
Thanks,
Chad
05-31-2007 04:57 AM
05-31-2007 08:22 PM
Hi,
Thank you very much for your reply and lab work.
I have also tested in my lab with PIX 7.2.2 and ASA 7.2.2. And I got the same result on PIX and ASA as you.
I executed "write erase" command on PIX 7.2.2 and ASA 7.2.2 to get them backed to default configuration and then rebooted them. The following is the result of "sh runn" command after rebooted.
----------
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
----------
Next I executed "clear config all" at configuration mode on both and then confirmed whether inspect command enabled (appeared) from "sh runn" command.
The result was the same as above, because "clear config all" command get running-config backed to factory shipped configuration not startup-config.
However brand new ASA 7.2.2 does not enable inspect command.
I do not know why factory shipped configuration (brand-new configuration) and default configuration are different about the inspect command, however I could understand what kind of case make the inspect command enabled.
Thank you very much for your assistance.
Best regards,
05-28-2010 08:11 PM
The command "clear configure fixup" will bring back the FPM. Try that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: