Re: ip inspection rules - how useful can be this command and how
Inspection can be a VERY useful feature and often needed for protocols that require secondary connections - ie a primary connection is used for the "control channel" to open secondary connections. Some protocols that match this description are: FTP, H323, SIP, Skinny, etc. These last three are very commonly used for Voice and Media applications.
The benefit of inspection is a user can permit only the primary connection via an access-list. The ASA will "inspect" the traffic and automatically create "pinholes" to allow the secondary connections - opening the requisite ports ONLY. Without inspection, in order to get the same applications/protocols (as mentioned above) to work correctly, a user would need to open up the access-list MUCH wider - sometimes allowing all ports > 1024 to be allowed into the network. This can create a HUGE whole in the network, whether or not the application is actively using these ports, making your network increasingly more vulnerable to an attack.
A second purpose of inspection is to perform Deep Packet Inspection. This feature will allow the ASA to report and/or prevent certain protocol behavior. For instance, some inspection behavior will limit the commands that can be used within the protocol ('inspect esmtp' is one example) or provide added insight as to the connection ('inspect http' will report the URL accessed). If NAT is involved, the ASA can modify any IP addresses at the protocol/application level to adjust for the NAT/PAT - again, protocols with secondary connections will sometimes require this.
The following link, leveraging "Modular Policy Framework" will provide guidance on using 'inspection'.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...