Inspection on ASA firewall

Answered Question
Jan 15th, 2010
User Badges:

Hi All,


May I know if it is the best security practise to turn on all application for inspect under the Default Global inspection, or should the "any" option be chosen in place of the "default inspection" option instead?


Regards,

Correct Answer by Kureli Sankar about 7 years 3 months ago

Yes, that is what you should do.


Come up with a new name for the acl.


access-list inside-acl permit tcp ho x.x.x.x any eq 80

access-list inside-acl permit tcp ho y.y.y.y any eq 25

.

.

access-list inside-acl permit tcp any any eq 21


Once you finish the acl then apply it on the inside interface with this command below.


access-group inside-acl in int inside


-KS

Correct Answer by Kureli Sankar about 7 years 3 months ago

Kent was right. You do have the same access-list applied on both inside and outside interfaces.


You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.


steps to remove the acl applied on the inside interface.

conf t

no access-group Firewall in interface inside


You can just leave the acl applied on the outside interface.


-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kureli Sankar Fri, 01/15/2010 - 08:39
User Badges:
  • Cisco Employee,

class-map inspection_default
match default-inspection-traffic



policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global


The above is a sample.  You may leave it as it is or remove certain inspections if they cause problem.


-KS

Hi Kusankar,


While reading this, I just have a question as well as 2nd opion.  On my ASA has the inspect http in global policy and lately we are having some

problem with slow traffic (not all the time) as we hosting website.  The int0/2 of the ASA is subinterface into DMZ and DMZ_NS.

The DMZ_NS we have Netscaler do the web hosting to outside and traffic on this is somewhere around between 300M to 500M.

Sometime when traffic around 250M users experience slow respone on the web page and some time traffic near 500M has no problem

and this applied to both interface outside (int0/0) and int0/2.  Checking around I found there are input errors and overrun errors on outside

interface and the int0/2 interface.  My question is can the inspect http causing some problem?  If this inspection http is removed,

can it cause problem for users browsing the web site or any kind of interuption?  ASA is 5540 and running 8.0.4 code.

Thank you.

Panos Kampanakis Fri, 01/15/2010 - 14:45
User Badges:
  • Cisco Employee,

Depending on the page http inspection could cause issues. It depend on the page.

Disabling it will cost you much and it is worth to give it a try.


Errors on the interfaces probably mean something else though. 500Mbps could overload the smaller ASAs. You might be having a traffic issue. Check the cpu of the ASA while you see the issues. If it is high it could mean that the ASA is overloaded.


PK

noobieee7 Fri, 01/15/2010 - 17:12
User Badges:

Hi Kusankar,


May I know if it is a better way by turning on inspection or to create ACL on the outside and inside interfaces to allow a application to pass thru?


Regardsm

Kent Heide Sat, 01/16/2010 - 02:12
User Badges:

Inspection can only be turned on via the MPF. As for allowing applications through your firewall depends on whether they actually need to be inspected or not. Protocols like RTP does, but others don't. In most cases an ACL on the interface allowing the port numbers used is sufficient. Other things like BGP etc needs tcp options set in the MPF.


What is it that you want to let through your fw?

Kureli Sankar Sat, 01/16/2010 - 05:28
User Badges:
  • Cisco Employee,

Well, it depends on the application.  Is it a standard application? Do we have an inspection engine? If so, I'd use the inspection and not open acl.  The few exceptions would be http, netbios.  These are known to cause latency, especially http. 


-KS

noobieee7 Sat, 01/16/2010 - 19:56
User Badges:

Thanks for the information.


I found out something weird in my ASA configuration. On my outside interface ACL, if I add a rule to allow source A to destination B, I have to create another rule to allow source B to destination A on the same outside interface ACL in order for the Application to work. Is that the correct behavior of the ASA?

Kureli Sankar Sat, 01/16/2010 - 20:11
User Badges:
  • Cisco Employee,

That doesn't sound right.


Who lives on the outside? A or B?


ACL should always list the source first meaning if the ACL is applied on the outside interface (facing the internet), the source will only talk about hosts that live on the internet and the destination will be your translated IP address.


example.


www server--(inside)ASA(outside)---Router---Internet---Google


Now, the acl that is applied "IN" on the outside interface will and can only have the following


access-g acl-outside in int outside

access-l acl-outside permit tcp host google host www_server eq 80


It will not have

access-l acl-outside permit tcp host www_server eq 80 host google


Even if you have the above acl, it will not be used. You will not see any hit counts. It doesn't make sense.


-KS

noobieee7 Sun, 01/17/2010 - 07:22
User Badges:

Hi KS,


Let me verify on that tomorrow again.


One more quey, if I create an ACL on the outside interface from source A (Internet) to destination B (Internal Server), a similar ACL get automatically create on the inside interface. Is that correct?

Kureli Sankar Sun, 01/17/2010 - 07:50
User Badges:
  • Cisco Employee,

If the outside ACL allows the traffic that was initiated on the outside (internet) then, the response traffic from the inside is AUTOMATICALLY allowed whether the ACL on the inside specifically allowes it or not.  This is the nature of the stateful firewall.


Does that answer your question?


-KS

noobieee7 Sun, 01/17/2010 - 07:56
User Badges:

Hi KS,


I think the issue now is that whenever I create an ACL on the outside interface from source A (Internet) to destination B (Internal Server), a similar ACL get automatically created in the inside interface.

Is that the correct behavior of the ASA or is that a BUG?

Kent Heide Sun, 01/17/2010 - 12:56
User Badges:

It's not a bug. It seems like you've just put the same ACL on both interfaces :-)

Kureli Sankar Sun, 01/17/2010 - 17:29
User Badges:
  • Cisco Employee,

Pls. copy and paste the output of "sh run access-group"


With what you are trying to ask and tell us, it appears that you have the same access-list applied IN and OUT on the outside interaface.


I will confirm once you provide the output.


-KS

noobieee7 Sun, 01/17/2010 - 18:40
User Badges:

Hi KS,


The information as below:


sh run access-group        
access-group Firewall in interface outside
access-group Firewall in interface inside


I will give you an example:


Lets say I create an ACL on the outside interface

From source IP 200.200.200.200 destination IP 10.10.10.10 port 80.


A same set of ACL gets created automatically on the inside interface

From source IP 200.200.200.200 destination IP 10.10.10.10 port 80.

Correct Answer
Kureli Sankar Sun, 01/17/2010 - 18:45
User Badges:
  • Cisco Employee,

Kent was right. You do have the same access-list applied on both inside and outside interfaces.


You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.


steps to remove the acl applied on the inside interface.

conf t

no access-group Firewall in interface inside


You can just leave the acl applied on the outside interface.


-KS

noobieee7 Sun, 01/17/2010 - 19:19
User Badges:

Hi KS,


I would like to control the traffic going from the inside interface to the outside interface instead of allowing the default behavior to come in. Can I create another access-group to apply on my inside interface instead?

Correct Answer
Kureli Sankar Sun, 01/17/2010 - 19:24
User Badges:
  • Cisco Employee,

Yes, that is what you should do.


Come up with a new name for the acl.


access-list inside-acl permit tcp ho x.x.x.x any eq 80

access-list inside-acl permit tcp ho y.y.y.y any eq 25

.

.

access-list inside-acl permit tcp any any eq 21


Once you finish the acl then apply it on the inside interface with this command below.


access-group inside-acl in int inside


-KS

Actions

This Discussion