Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Inspection on ASA firewall

Hi All,

May I know if it is the best security practise to turn on all application for inspect under the Default Global inspection, or should the "any" option be chosen in place of the "default inspection" option instead?

Regards,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Inspection on ASA firewall

Kent was right. You do have the same access-list applied on both inside and outside interfaces.

You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.

steps to remove the acl applied on the inside interface.

conf t

no access-group Firewall in interface inside

You can just leave the acl applied on the outside interface.

-KS

Cisco Employee

Re: Inspection on ASA firewall

Yes, that is what you should do.

Come up with a new name for the acl.

access-list inside-acl permit tcp ho x.x.x.x any eq 80

access-list inside-acl permit tcp ho y.y.y.y any eq 25

.

.

access-list inside-acl permit tcp any any eq 21

Once you finish the acl then apply it on the inside interface with this command below.

access-group inside-acl in int inside

-KS

17 REPLIES
Cisco Employee

Re: Inspection on ASA firewall

class-map inspection_default
match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

The above is a sample.  You may leave it as it is or remove certain inspections if they cause problem.

-KS

New Member

Re: Inspection on ASA firewall

Hi Kusankar,

While reading this, I just have a question as well as 2nd opion.  On my ASA has the inspect http in global policy and lately we are having some

problem with slow traffic (not all the time) as we hosting website.  The int0/2 of the ASA is subinterface into DMZ and DMZ_NS.

The DMZ_NS we have Netscaler do the web hosting to outside and traffic on this is somewhere around between 300M to 500M.

Sometime when traffic around 250M users experience slow respone on the web page and some time traffic near 500M has no problem

and this applied to both interface outside (int0/0) and int0/2.  Checking around I found there are input errors and overrun errors on outside

interface and the int0/2 interface.  My question is can the inspect http causing some problem?  If this inspection http is removed,

can it cause problem for users browsing the web site or any kind of interuption?  ASA is 5540 and running 8.0.4 code.

Thank you.

Cisco Employee

Re: Inspection on ASA firewall

Depending on the page http inspection could cause issues. It depend on the page.

Disabling it will cost you much and it is worth to give it a try.

Errors on the interfaces probably mean something else though. 500Mbps could overload the smaller ASAs. You might be having a traffic issue. Check the cpu of the ASA while you see the issues. If it is high it could mean that the ASA is overloaded.

PK

New Member

Re: Inspection on ASA firewall

Hi Kusankar,

May I know if it is a better way by turning on inspection or to create ACL on the outside and inside interfaces to allow a application to pass thru?

Regardsm

New Member

Re: Inspection on ASA firewall

Inspection can only be turned on via the MPF. As for allowing applications through your firewall depends on whether they actually need to be inspected or not. Protocols like RTP does, but others don't. In most cases an ACL on the interface allowing the port numbers used is sufficient. Other things like BGP etc needs tcp options set in the MPF.

What is it that you want to let through your fw?

Cisco Employee

Re: Inspection on ASA firewall

Well, it depends on the application.  Is it a standard application? Do we have an inspection engine? If so, I'd use the inspection and not open acl.  The few exceptions would be http, netbios.  These are known to cause latency, especially http. 

-KS

New Member

Re: Inspection on ASA firewall

Thanks for the information.

I found out something weird in my ASA configuration. On my outside interface ACL, if I add a rule to allow source A to destination B, I have to create another rule to allow source B to destination A on the same outside interface ACL in order for the Application to work. Is that the correct behavior of the ASA?

Cisco Employee

Re: Inspection on ASA firewall

That doesn't sound right.

Who lives on the outside? A or B?

ACL should always list the source first meaning if the ACL is applied on the outside interface (facing the internet), the source will only talk about hosts that live on the internet and the destination will be your translated IP address.

example.

www server--(inside)ASA(outside)---Router---Internet---Google

Now, the acl that is applied "IN" on the outside interface will and can only have the following

access-g acl-outside in int outside

access-l acl-outside permit tcp host google host www_server eq 80

It will not have

access-l acl-outside permit tcp host www_server eq 80 host google

Even if you have the above acl, it will not be used. You will not see any hit counts. It doesn't make sense.

-KS

New Member

Re: Inspection on ASA firewall

Hi KS,

Let me verify on that tomorrow again.

One more quey, if I create an ACL on the outside interface from source A (Internet) to destination B (Internal Server), a similar ACL get automatically create on the inside interface. Is that correct?

Cisco Employee

Re: Inspection on ASA firewall

If the outside ACL allows the traffic that was initiated on the outside (internet) then, the response traffic from the inside is AUTOMATICALLY allowed whether the ACL on the inside specifically allowes it or not.  This is the nature of the stateful firewall.

Does that answer your question?

-KS

New Member

Re: Inspection on ASA firewall

Hi KS,

I think the issue now is that whenever I create an ACL on the outside interface from source A (Internet) to destination B (Internal Server), a similar ACL get automatically created in the inside interface.

Is that the correct behavior of the ASA or is that a BUG?

New Member

Re: Inspection on ASA firewall

It's not a bug. It seems like you've just put the same ACL on both interfaces :-)

Cisco Employee

Re: Inspection on ASA firewall

Pls. copy and paste the output of "sh run access-group"

With what you are trying to ask and tell us, it appears that you have the same access-list applied IN and OUT on the outside interaface.

I will confirm once you provide the output.

-KS

New Member

Re: Inspection on ASA firewall

Hi KS,

The information as below:

sh run access-group        
access-group Firewall in interface outside
access-group Firewall in interface inside

I will give you an example:

Lets say I create an ACL on the outside interface

From source IP 200.200.200.200 destination IP 10.10.10.10 port 80.

A same set of ACL gets created automatically on the inside interface

From source IP 200.200.200.200 destination IP 10.10.10.10 port 80.

Cisco Employee

Re: Inspection on ASA firewall

Kent was right. You do have the same access-list applied on both inside and outside interfaces.

You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.

steps to remove the acl applied on the inside interface.

conf t

no access-group Firewall in interface inside

You can just leave the acl applied on the outside interface.

-KS

New Member

Re: Inspection on ASA firewall

Hi KS,

I would like to control the traffic going from the inside interface to the outside interface instead of allowing the default behavior to come in. Can I create another access-group to apply on my inside interface instead?

Cisco Employee

Re: Inspection on ASA firewall

Yes, that is what you should do.

Come up with a new name for the acl.

access-list inside-acl permit tcp ho x.x.x.x any eq 80

access-list inside-acl permit tcp ho y.y.y.y any eq 25

.

.

access-list inside-acl permit tcp any any eq 21

Once you finish the acl then apply it on the inside interface with this command below.

access-group inside-acl in int inside

-KS

931
Views
0
Helpful
17
Replies