topic it doesnt need any route. im in Network Security

policy map with any inpect command

qnetechinfo — Tue, 12 Mar 2019 07:39:32 GMT

hi everyone

i have this configuration on asa:

hostname(config)#policy-map global_policy
hostname(config-pmap)#class inspection_default
hostname(config-pmap-c)#exit

hostname(config)#service-policy global_policy global

by without any inspect command,asa allows tcp traffic.why?

Without seeing the rest of

Marius Gunnerud — Fri, 22 Apr 2016 17:59:40 GMT

Without seeing the rest of your configuration it is a little difficult to determine...but i suspect that you have ACLs allowing the traffic.

Please remember to select a correct answer and rate helpful posts

here are the configurations:

qnetechinfo — Sat, 23 Apr 2016 14:07:57 GMT

here are the configurations:

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif IN
security-level 80
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif OUT
security-level 20
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network CL
host 192.168.1.2
object network PL1
host 10.1.1.10
object network S1
host 10.1.1.2
object network S2
host 10.1.1.3
object network PL2
host 10.1.1.20
access-list ANY extended permit ip any any
access-list BB extended permit ip any any
access-list OUT extended permit ip any any
pager lines 24
mtu IN 1500
mtu OUT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map ANY
match access-list ANY
!
!
policy-map ANY
class ANY
!
service-policy ANY global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:2004eb31534187f7c5ff8403b615714e
: end

with ASDM we cannot create a policy like this:

class-map ANY
match access-list ANY
!
!
policy-map ANY
class ANY

we have to inspect something. but with commands we can. and when we dont inspect anything, it allows tcp. why?

Have you left out some

Marius Gunnerud — Sat, 23 Apr 2016 15:00:29 GMT

Have you left out some configuration? amongst other things you are missing routing configuration.

Please remember to select a correct answer and rate helpful posts

it doesnt need any route. im

qnetechinfo — Sat, 23 Apr 2016 15:40:25 GMT

it doesnt need any route. im testing it on a lab. you can do it by yourself. assume that we have a policy map like this:

class inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

service-policy global_policy global

this policy map allows http or dns traffic but not icmp traffic. why?

Just because you have removed

Marius Gunnerud — Sun, 24 Apr 2016 12:30:16 GMT

Just because you have removed all the inspection commands doesn't mean you have turned off the stateful inspection in the firewall. The flow going from inside to outside will still go through all the checks and placed in the state table. So as long as the flow remains the same (ie. destination porte from inside to outside, source port from outside to inside) the packet will be allowed. But for protocols that use different source ports for replies (ie. ICMP) these packets will be dropped since the ASA can not match the return traffic to an existing flow without the packet being inspected.

Please remember to select a correct answer and rate helpful posts