01-02-2007 06:54 PM - edited 03-11-2019 02:14 AM
Hello!
Im trying to disable the (adaptive security algorith) or the application inspection (fixup) on the ASA. Is this possible? I tried to remove the global security policies for inspection, but when I access from inside, I can still get return traffic from outside. This may sound like dumb, but I want to make sure the Global/Interface application inspection configuration really has something to do with the ASA to that effect. I tried to read on the docs. but I cannot get suffifient explanations. Did anybody ever did this? Your replies will be greatly appreciated.
Lorenz
01-03-2007 12:23 PM
The adaptive security algorithm is the heart of the ASA and can't be disabled. If you could disable it then the firewall would not work at all.
You can remove all the application inspections if so desired. The inspections are not to restrict traffic but to keep an eye on traffic that you want to allow. Like if you had a web server hosted behind the firewall. You don't want to just allow that traffic. Application inspections allows the traffic to the web server and makes sure it follows the rules.
Traveling from a higher security interface such as the typical inside to a lower outside interface the return traffic that passes the security algorithm is allowed. Unless an ACL blocks the traffic.
Here is a good article (for the pix but same concepts for the ASA)
http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1&rl=1
Thanks,
Chad
Please rate if this helps!
01-04-2007 04:52 PM
Hi Chad,
Thanks for your response. So, if the ASAlgorithm cannot be disabled but the Apps Inspection (or formerly known as fixup), does this mean the algorith has its own process or base rules followed, and the Apps Inspection separate (or enhancement) to that rules being implemented by the ASAalgorithm?
And if that is true, then at the minimal level of configuration, I could completely remove the Apps inspection without potentially opening any holes whatsoever. Is this equivalent to the PIX removing its fixup configuration at all, yet maintains the Adaptive Security Algorithm in force?
Just some clarifications needed.
Thanks and regards,
Lorenz
01-05-2007 05:54 AM
Application inspection is seperate from the ASA. The ASA looks at things like the conn table, xlate table, and ACL table to determine if the traffic should be allowed.
Yes you can remove the default application inspection without causing any security problems. However, you may cause some protocols not to work.
Here is a good link on application inspection:
To remove the default global policy:
hostname(config)# no service-policy global_policy global
01-04-2007 01:07 PM
Not sure what you are really asking. ASA cannot be removed but the application inspection rules (fixups) can be modified through a policy-map or a service-policy. In PIX 7.0 (which is very close to ASA) the fixups are in by default but there are options on how to specify how you want the various protocols inspected. Look at this link on how to use the modular policy framework.
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450c8e.html
01-04-2007 05:23 PM
Hi Tim,
Thanks for your response. I just want to clarify in my mind the difference between the terms ASA (Adaptive Security Algorithm) and the Applications Inspection. As I understand it, ASA is the algorithm that is responsible for HIGH-LOW traffic flow permission without needing specific configurations, while the Applications Inspections look deeper into the traffic (regardless of the direction). So, if that is true I can disable (or remove) any Application Inspection (including the default inspection being applied by ASA5500 device to the default config), and still ASA will be in effect, without worrying of security breaches (at least for normal or casual traffic flows). Is this correct?
Lorenz
PS: Thanks for the link that you gave. Its indeed helpful. Im having problem rating your post. please do reply so I can rate it the next time you post. thanks!
01-05-2007 08:08 AM
Glad it helped. That is correct ASA is what allows all traffic to flow from HIGH to LOW. Application inspection is part of the modular framework. You can modify the standard Fixups but it is not recommended unless you have some app that will break without the changes. Much of the application inspection is set to its very highest levels so I don't think minor changes will hurt you that much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide