Why inspect command is disable by default on PIX 7.x
I have a question about fixup (PIX 6.x) and inspect (PIX 7.x) command because our customer asked us the following question;
- why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x ?
- Do we have to configure inspect command explicitly even if it is disabled by default ?
however I can not clear it. So I posted this question here.
In PIX 7.0, the fixup command has been deprecated and replaced with the inspect command under the Modular Policy Framework (MPF) infrastructure.
I understand that In PIX 6.x, fixup command is enabled by default, however In ASA 7.2, inspect and fixup command are disabled by default. Why I say so is when I configured brand new ASA 5500 version 7.2, I could not find the following MPF commands related to application inspection from the output of show runn command on ASA 7.2.
Please note that I think that the Firewall service of ASA 7.2 is the same as the one of PIX 7.x.
So I assume that inspect command is disabled by default also on PIX 7.x.
Unfortunately, I can not prepare PIX 7.x and can not confirm whether inspect command is enabled or disabled by default on PIX 7.x.
I think why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x is due to the following reasons.
- Allows Selective application control based on MPF infrastructure
- Allows to configure Firewall/QoS policy per interface basis whereas fixup command could be configured globally
And I think we should or we have to configure necessary inspect command to do application inspect, though it is disabled by default and it may differ according to the application used.
Re: Why inspect command is disable by default on PIX 7.x
Thank you very much for your reply and lab work.
I have also tested in my lab with PIX 7.2.2 and ASA 7.2.2. And I got the same result on PIX and ASA as you.
I executed "write erase" command on PIX 7.2.2 and ASA 7.2.2 to get them backed to default configuration and then rebooted them. The following is the result of "sh runn" command after rebooted.
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
Next I executed "clear config all" at configuration mode on both and then confirmed whether inspect command enabled (appeared) from "sh runn" command.
The result was the same as above, because "clear config all" command get running-config backed to factory shipped configuration not startup-config.
However brand new ASA 7.2.2 does not enable inspect command.
I do not know why factory shipped configuration (brand-new configuration) and default configuration are different about the inspect command, however I could understand what kind of case make the inspect command enabled.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...