cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
3
Replies

ASA 5500 model default setting

alan-wong
Level 1
Level 1

Dear All, I saw below default configuration showed in my new 5505 and 5515 ASA.  May i know what is the function of those configuration and does it command affecting of my ASA firewall?

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.

The most common ones in constant use would probably be (for me atleast)

  • ICMP Inspection (not enabled by default) which helps you allow ICMP through the firewall and automatically allow the ICMP Echo reply back without allowing it through the firewall in a separate ACL. It also makes sure that only valid ICMP return messages are allowed through the firewall
  • DNS Inspection sets some parameters for the DNS traffic and also makes sure that only one DNS reply is allowed through the firewall. Its also needed you are going to use the "dns" parameter in the NAT configurations to enable ASA so a DNS rewrite.
  • FTP Inspection enables the ASA to automatically allow the FTP Data connections which are created in addition to the initial Control connection. Therefore you dont need to allow anything but the FTP Control connection (TCP/21) to form through the firewall and the ASA will use the FTP Inspection to automatically allow through the Data connection that will be formed.

For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide

Here is a link to the Command Reference and the different "inspect" commands

http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html

Here is a section in the Configuration Guide about inspections

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html

I have not even fully read them myself.

Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.

The most common ones in constant use would probably be (for me atleast)

  • ICMP Inspection (not enabled by default) which helps you allow ICMP through the firewall and automatically allow the ICMP Echo reply back without allowing it through the firewall in a separate ACL. It also makes sure that only valid ICMP return messages are allowed through the firewall
  • DNS Inspection sets some parameters for the DNS traffic and also makes sure that only one DNS reply is allowed through the firewall. Its also needed you are going to use the "dns" parameter in the NAT configurations to enable ASA so a DNS rewrite.
  • FTP Inspection enables the ASA to automatically allow the FTP Data connections which are created in addition to the initial Control connection. Therefore you dont need to allow anything but the FTP Control connection (TCP/21) to form through the firewall and the ASA will use the FTP Inspection to automatically allow through the Data connection that will be formed.

For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide

Here is a link to the Command Reference and the different "inspect" commands

http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html

Here is a section in the Configuration Guide about inspections

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html

I have not even fully read them myself.

Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.

- Jouni

Thx Jouni

So, do we need "inspect http", i saw most of the ASA did not have "inspect http".  I think this is also important, am I correct?

hi,

to my knowledge, HTTP inspection is disabled by default.

you can enable it under global policy if needed.

class inspection_default

inspect http

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: