topic class inspection_default in Network Security

class inspection_default

Cisco Freak — Tue, 12 Mar 2019 07:53:35 GMT

HI experts,

I am wondering what's the specialty of the class-map class inspection_default

policy-map global_policy
class inspection_default

inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

I am not able to figure out how that class-map and the inspect command below that work together. 😞

Hi,

Aditya Ganjoo — Thu, 16 Jun 2016 03:02:56 GMT

Hi,

Its just the name of the class.

So when we create a policy-map we need to configure the class-map to match the conditions/traffic.

Here is an example:

policy-map <NAME>
class <CLASS1>
<feature1>
class <CLASS2>
<feature2>

By default ASA would have a class-map class inspection_default for matching the traffic and that is called under the default policy-map.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Yes, I understand that. I

Cisco Freak — Thu, 16 Jun 2016 03:48:02 GMT

Yes, I understand that. I have seen that class-map inspection_default is matching default-inspection-traffic. Can you please share more info about default-inspection-traffic?

I have see the config of default-inspection-traffic as follows:

default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177

I am not able to understand what does this mean. Does this mean all these protocols are inspected by default? How the inspection works with default policy.

Any help would be appreciated

Cisco Freak — Thu, 16 Jun 2016 16:59:01 GMT

Any help would be appreciated.

Hi,

Aditya Ganjoo — Thu, 16 Jun 2016 23:54:16 GMT

Hi,

Yes you are correct.

By default these protocols are inspected by the ASA and these are the ports that are inspected for the concerned traffic.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

The default-inspection

Cisco Freak — Fri, 17 Jun 2016 16:00:04 GMT

The default-inspection-traffic list show ICMP too, does that also inspected? This is confusing me.

When I tested in lab, I had to manually specify the ICMP inspect command in policy-map.

Re: Yes, I understand that. I

ramserv — Mon, 11 May 2020 18:13:17 GMT

class-map inspection_default
match default-inspection-traffic

here you label the traffic(ftp, dns, tftp and so on) as "inspection_default"

after this with policy-map you tel what to do with that traffic

guess what inspect

if you look at in policy-map inspect icmp is missing (that is why ping won't work)

if you add inspect icmp after :

policy-map global_policy
class inspection_default

inspect icmp

icmp will go from higher security level to lower security level and back, but...

icmp originating from lower security level interface will not pass the firewall to the higher sec level

Re: Yes, I understand that. I

ramserv — Mon, 11 May 2020 18:16:26 GMT

if let's say instead inspect we add an icmp acl and group that acl on interface outside in
we let icmp two flow from lower level to higher levele