topic Re: inspect on firewall in Network Security

inspect on firewall

prashantrecon — Tue, 12 Mar 2019 00:32:00 GMT

Scenario 1

On new firewall following inspect command are as follows.

Assume there is no access-list on firewall..so now all the traffic related to below protocols will be allowed to flow from

inside to outside as well as outside to inside.

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ils

inspect pptp

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect tftp

inspect ip-options

inspect http

Scenario 2

with the above inspect commands i have applied access-list on the outside interface. And i have allowed client vpn ip.

Now my question is now any traffic which is related to above protocol such as http will be allowed or blocked?

from outside to inside .

Re: inspect on firewall

Jouni Forss — Tue, 04 Dec 2012 13:32:55 GMT

Hi,

The inspect configurations themselves don't generally deny/allow traffic. Some common inspect settings like ftp/icmp make it alot easier to allow the return traffic of the said connections though.

With FTP it helps allowing the Data connection and with ICMP the Echo-reply messages get through without access-list statements.

IF you have not configured no ACLs on the ASA, traffic is allowed always from High Security-level interface to Low Security-level interface. Other way is blocked. As soon as you configure an ACL to one interface you will have to Allow specific traffic that you need to go through the firewall otherwise if no matching rules is found the traffic gets blocked.

Also a connection that has been permitted by the ASA has its return traffic allowed also naturally. This is different from router ACLs where you possibly have to take into account both directions of one connection.

- Jouni

Re: inspect on firewall

Jouni Forss — Tue, 04 Dec 2012 13:39:20 GMT

And also regarding the VPN connections

Generally/By default connections coming through a VPN Client connection to/through the Firewall are always allowed.

This behaviour can be changed with a command. This command will change the operation related to the above and require ACL rules to be made to the Outside interface like with any connection coming through the interface

The command format for newer ASA software is:

sysopt connection permit-vpn = Connections coming through VPN bypass outside interface ACL (This command doesnt show on the running-config as its a default setting)

no sysopt connection permit-vpn = Connections coming through VPN need ACL rule on the outside interface ACL

- Jouni

inspect on firewall

prashantrecon — Tue, 04 Dec 2012 18:37:26 GMT

Thanks jouni,