Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA global policy Vs ACL on interfaces.

Hi All,

Please clear my doubt on ASA global policy how is it work. 

 understand global policy is inspect the packet  if we don't have any ACL applied on interfaces(default behavior).

But when we applied ACL on interfaces will Global policy still inspect the packet ?

 

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error

 

Thanks.

4 REPLIES

Hi, Yes it will still inspect

Hi,

 

Yes it will still inspect even though you have configured ACL and binded to an interface. There are certain protocols which requires deep inspection in order to pass through a firewall. For some of the protocols ASA cannot create the reverse flows, where inspection is required to do so. Below mentioned excerpt from cisco document will explain much better.

 

The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP inspection), so that they can also use the fast path.


Note For other IP protocols, like SCTP, the ASA does not create reverse path flows. As a result, ICMP error packets that refer to these connections are dropped.


Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

 

Regards

Karthik

New Member

Hi Karthik, Thanks for

Hi Karthik,

 

Thanks for clarification do you have any Cisco  link which explain more.Thanks.

Hi Narinder,The below

Hi Narinder,

The below mentioned documents will clarify your doubts.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/inspect.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/inspect_overview.html.

 

Figure 9-1 How Inspection Engines Work

 

In Figure 9-1, operations are numbered in the order they occur, and are described as follows:

1. A TCP SYN packet arrives at the ASA to establish a new connection.

2. The ASA checks the ACL database to determine if the connection is permitted.

3. The ASA creates a new entry in the connection database (XLATE and CONN tables).

4. The ASA checks the Inspections database to determine if the connection requires application-level inspection.

5. After the application inspection engine completes any required operations for the packet, the ASA forwards the packet to the destination system.

6. The destination system responds to the initial request.

7. The ASA receives the reply packet, looks up the connection in the connection database, and forwards the packet because it belongs to an established session.

The default configuration of the ASA includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required.

Regards

Karthik

 

New Member

Hi Karthik , Thanks a lot .. 

Hi Karthik ,

 

Thanks a lot .. 

367
Views
0
Helpful
4
Replies
CreatePlease login to create content