topic ASA 5500 model default setting in Network Security

ASA 5500 model default setting

alan-wong — Tue, 12 Mar 2019 03:41:55 GMT

Dear All, I saw below default configuration showed in my new 5505 and 5515 ASA. May i know what is the function of those configuration and does it command affecting of my ASA firewall?

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

ASA 5500 model default setting

Jouni Forss — Fri, 07 Feb 2014 11:54:30 GMT

Hi,

To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.

The most common ones in constant use would probably be (for me atleast)

ICMP Inspection (not enabled by default) which helps you allow ICMP through the firewall and automatically allow the ICMP Echo reply back without allowing it through the firewall in a separate ACL. It also makes sure that only valid ICMP return messages are allowed through the firewall
DNS Inspection sets some parameters for the DNS traffic and also makes sure that only one DNS reply is allowed through the firewall. Its also needed you are going to use the "dns" parameter in the NAT configurations to enable ASA so a DNS rewrite.
FTP Inspection enables the ASA to automatically allow the FTP Data connections which are created in addition to the initial Control connection. Therefore you dont need to allow anything but the FTP Control connection (TCP/21) to form through the firewall and the ASA will use the FTP Inspection to automatically allow through the Data connection that will be formed.

For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide

Here is a link to the Command Reference and the different "inspect" commands

http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html

Here is a section in the Configuration Guide about inspections

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html

I have not even fully read them myself.

Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.

- Jouni

ASA 5500 model default setting

alan-wong — Sat, 08 Feb 2014 06:52:52 GMT

Thx Jouni

So, do we need "inspect http", i saw most of the ASA did not have "inspect http". I think this is also important, am I correct?

ASA 5500 model default setting

johnlloyd_13 — Mon, 10 Feb 2014 05:37:58 GMT

hi,

to my knowledge, HTTP inspection is disabled by default.

you can enable it under global policy if needed.

class inspection_default

inspect http