Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
10
Helpful
4
Replies

Modifying ASA Global Policy - FTP Inspection -Impact

Go to solution
Fabio Bustamante
Level 1
Level 1

‎07-13-2017 02:49 PM - edited ‎03-12-2019 02:42 AM

Hi, just two quick questions.

We have a L2 ASA on our network and we want to exempt FTP inspection for one specific communication between two devices. I suppose we can just create a new CLASS that matches an ACL with the relevant IP Addresses, and then add that CLASS to the Global Policy and exempt the FTP inspection.

1) Will this config work to exempt FTP inspection?: Just by using another CLASS and the inspection_default?

access-list XY-ACL extended permit ip host X.X.X:X host Y.Y.Y.Y

class-map XY
 match access-list XY-ACL
 match default-inspection-traffic

policy-map global_policy
 class XY
  inspect h323 h225
  inspect h323 ras
  inspect sip
  no inspect ftp
   ...
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ftp

....

2) What impact can we have by modifying the global policy? Will we drop any current TCP connections? Can we do it during business hours? We want to be sure if this change might cause any impact on the operation of the Firewall.

Appreciate any help.

Thanks!!!

Fabio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-14-2017 01:19 AM

Hi Fabio,

You can create an access-list and match the traffic which you want to inspect, rest everything would be exempted.

policy-map global_policy
 class XY
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ftp

Secondly, when you change anything on the inspection existing sessions would not be impacted, only the new ones would be subject to the change.

Regards,

Aditya

View solution in original post

4 Replies 4

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-14-2017 01:19 AM

Hi Fabio,

You can create an access-list and match the traffic which you want to inspect, rest everything would be exempted.

policy-map global_policy
 class XY
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ftp

Secondly, when you change anything on the inspection existing sessions would not be impacted, only the new ones would be subject to the change.

Regards,

Aditya

Go to solution
Fabio Bustamante
Level 1
Level 1
In response to Aditya Ganjoo

‎07-14-2017 07:12 AM

Thanks a lot Aditya.

You say I should create an ACL matching the traffic that I want to inspect. So, is it possible just to do something like this? (denying the traffic I don't want to inspect)

access-list XY-ACL extended deny ip host X.X.X:X host Y.Y.Y.Y

access-list XY-ACL extended deny ip host Y.Y.Y.Y host X.X.X.X

access-list XY-ACL extended permit ip any any

Or do I have to better specify the networks? I'm always confused about ACL deny statements on class-maps.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Fabio Bustamante

‎07-14-2017 08:07 AM

Hi Fabio,

You can either use the deny statements or just match the traffic you want to inspect for FTP.

Either way it should work.

This would work as well:

access-list XY-ACL extended deny ip host X.X.X:X host Y.Y.Y.Y

access-list XY-ACL extended deny ip host Y.Y.Y.Y host X.X.X.X

access-list XY-ACL extended permit ip any any

Regards,

Aditya

Please mark helpful and correct answers.

Go to solution
Matt Wilson
Level 1
Level 1
In response to Aditya Ganjoo

‎11-07-2019 12:59 AM

Thanks for your post. A "clear xlate" should make the changes take effect immediately as this drops all current xlate entries and forces the ASA to rebuild them.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card