Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to disable Application Inspection (aka ASA) on ASA

Hello!

Im trying to disable the (adaptive security algorith) or the application inspection (fixup) on the ASA. Is this possible? I tried to remove the global security policies for inspection, but when I access from inside, I can still get return traffic from outside. This may sound like dumb, but I want to make sure the Global/Interface application inspection configuration really has something to do with the ASA to that effect. I tried to read on the docs. but I cannot get suffifient explanations. Did anybody ever did this? Your replies will be greatly appreciated.

Lorenz

6 REPLIES
Silver

Re: How to disable Application Inspection (aka ASA) on ASA

The adaptive security algorithm is the heart of the ASA and can't be disabled. If you could disable it then the firewall would not work at all.

You can remove all the application inspections if so desired. The inspections are not to restrict traffic but to keep an eye on traffic that you want to allow. Like if you had a web server hosted behind the firewall. You don't want to just allow that traffic. Application inspections allows the traffic to the web server and makes sure it follows the rules.

Traveling from a higher security interface such as the typical inside to a lower outside interface the return traffic that passes the security algorithm is allowed. Unless an ACL blocks the traffic.

Here is a good article (for the pix but same concepts for the ASA)

http://www.examcram2.com/articles/article.asp?p=101741&seqNum=1&rl=1

Thanks,

Chad

Please rate if this helps!

New Member

Re: How to disable Application Inspection (aka ASA) on ASA

Hi Chad,

Thanks for your response. So, if the ASAlgorithm cannot be disabled but the Apps Inspection (or formerly known as fixup), does this mean the algorith has its own process or base rules followed, and the Apps Inspection separate (or enhancement) to that rules being implemented by the ASAalgorithm?

And if that is true, then at the minimal level of configuration, I could completely remove the Apps inspection without potentially opening any holes whatsoever. Is this equivalent to the PIX removing its fixup configuration at all, yet maintains the Adaptive Security Algorithm in force?

Just some clarifications needed.

Thanks and regards,

Lorenz

Silver

Re: How to disable Application Inspection (aka ASA) on ASA

Application inspection is seperate from the ASA. The ASA looks at things like the conn table, xlate table, and ACL table to determine if the traffic should be allowed.

Yes you can remove the default application inspection without causing any security problems. However, you may cause some protocols not to work.

Here is a good link on application inspection:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080640337.html#wp1313159

To remove the default global policy:

hostname(config)# no service-policy global_policy global

New Member

Re: How to disable Application Inspection (aka ASA) on ASA

Not sure what you are really asking. ASA cannot be removed but the application inspection rules (fixups) can be modified through a policy-map or a service-policy. In PIX 7.0 (which is very close to ASA) the fixups are in by default but there are options on how to specify how you want the various protocols inspected. Look at this link on how to use the modular policy framework.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450c8e.html

New Member

Re: How to disable Application Inspection (aka ASA) on ASA

Hi Tim,

Thanks for your response. I just want to clarify in my mind the difference between the terms ASA (Adaptive Security Algorithm) and the Applications Inspection. As I understand it, ASA is the algorithm that is responsible for HIGH-LOW traffic flow permission without needing specific configurations, while the Applications Inspections look deeper into the traffic (regardless of the direction). So, if that is true I can disable (or remove) any Application Inspection (including the default inspection being applied by ASA5500 device to the default config), and still ASA will be in effect, without worrying of security breaches (at least for normal or casual traffic flows). Is this correct?

Lorenz

PS: Thanks for the link that you gave. Its indeed helpful. Im having problem rating your post. please do reply so I can rate it the next time you post. thanks!

New Member

Re: How to disable Application Inspection (aka ASA) on ASA

Glad it helped. That is correct ASA is what allows all traffic to flow from HIGH to LOW. Application inspection is part of the modular framework. You can modify the standard Fixups but it is not recommended unless you have some app that will break without the changes. Much of the application inspection is set to its very highest levels so I don't think minor changes will hurt you that much.

521
Views
3
Helpful
6
Replies
CreatePlease login to create content