Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ip inspection rules - how useful can be this command and how I can use it?

ip inspection rules - how useful can be this command and how I can use it?

Thank you very much!

Cisco Employee

Re: ip inspection rules - how useful can be this command and how

Inspection can be a VERY useful feature and often needed for protocols that require secondary connections - ie a primary connection is used for the "control channel" to open secondary connections. Some protocols that match this description are: FTP, H323, SIP, Skinny, etc. These last three are very commonly used for Voice and Media applications.

The benefit of inspection is a user can permit only the primary connection via an access-list. The ASA will "inspect" the traffic and automatically create "pinholes" to allow the secondary connections - opening the requisite ports ONLY. Without inspection, in order to get the same applications/protocols (as mentioned above) to work correctly, a user would need to open up the access-list MUCH wider - sometimes allowing all ports > 1024 to be allowed into the network. This can create a HUGE whole in the network, whether or not the application is actively using these ports, making your network increasingly more vulnerable to an attack.

A second purpose of inspection is to perform Deep Packet Inspection. This feature will allow the ASA to report and/or prevent certain protocol behavior. For instance, some inspection behavior will limit the commands that can be used within the protocol ('inspect esmtp' is one example) or provide added insight as to the connection ('inspect http' will report the URL accessed). If NAT is involved, the ASA can modify any IP addresses at the protocol/application level to adjust for the NAT/PAT - again, protocols with secondary connections will sometimes require this.

The following link, leveraging "Modular Policy Framework" will provide guidance on using 'inspection'.