Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

default inspection policy on firewalls

Hi all, on cisco asa's etc, they have a default inspection for certain traffic. why do they have this? does it allow you have certain traffic types traverse the firewall without creating an access list back in, ie ftp etc ? as it goes out on 21 and comes back in on 20 ?

New Member

Re: default inspection policy on firewalls

The inspection lists peform a deeper look at traffic of certain protocols (stated in the list). They are only used once a packet has gone through the access policy, so it is not a policy that will allow traffic by default. It is to prevent thing masking as something else to get through a firewall.

For example, TCP port 2000 is Skinny Protocol for use with Cisco Voice. We used this port for another application that was nothing to do with voice. Although the handshake could take place through the firewall no traffic could be passed because the inspection map was looking at the packets expecting voice traffic and seeing something else.

You can remove certain items in the inspection list or remove the list completely. This obviously reduces the security on the device though.


New Member

Re: default inspection policy on firewalls

is there a class map for this, with an match all access list?

CreatePlease to create content