Kevin Redmon Sun, 08/16/2009 - 18:50

Inspection can be a VERY useful feature and often needed for protocols that require secondary connections - ie a primary connection is used for the "control channel" to open secondary connections. Some protocols that match this description are: FTP, H323, SIP, Skinny, etc. These last three are very commonly used for Voice and Media applications.

The benefit of inspection is a user can permit only the primary connection via an access-list. The ASA will "inspect" the traffic and automatically create "pinholes" to allow the secondary connections - opening the requisite ports ONLY. Without inspection, in order to get the same applications/protocols (as mentioned above) to work correctly, a user would need to open up the access-list MUCH wider - sometimes allowing all ports > 1024 to be allowed into the network. This can create a HUGE whole in the network, whether or not the application is actively using these ports, making your network increasingly more vulnerable to an attack.

A second purpose of inspection is to perform Deep Packet Inspection. This feature will allow the ASA to report and/or prevent certain protocol behavior. For instance, some inspection behavior will limit the commands that can be used within the protocol ('inspect esmtp' is one example) or provide added insight as to the connection ('inspect http' will report the URL accessed). If NAT is involved, the ASA can modify any IP addresses at the protocol/application level to adjust for the NAT/PAT - again, protocols with secondary connections will sometimes require this.

The following link, leveraging "Modular Policy Framework" will provide guidance on using 'inspection'.


This Discussion