topic Queries on ASA Inspection in Network Security

Queries on ASA Inspection

yogesh.suryawanshi — Tue, 12 Mar 2019 00:08:50 GMT

Hi,

We do have many default inspections in ASA firewall but wondering what all those mean? what each can do if configured & what can miss if not.

can someone please help to understand the same & guide if document of url details about same

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect dns

policy-map http-mapl

class http-mapl

set connection advanced-options mss-map

service-policy global_policy global

Thanks in advance

Reagrds

Yogesh

Queries on ASA Inspection

Harish Balakrishnan — Mon, 15 Oct 2012 10:27:46 GMT

Hello Yogesh,

Basically inspection required for the protocols/services that insert IP information inside the datagram.. or it open secondary data patch using dynamic ports othern than the normal defined port.. if inspection is enabled in these situations, ASA would be able to do a deep packet lookup and able to undertsand the packet flow and take a decision to forward/block.

the following links provide you an insight of this

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html#wp1114851

regards

Harish

Queries on ASA Inspection

yogesh.suryawanshi — Mon, 15 Oct 2012 11:15:41 GMT

Thanks Harish.

Link provided will help in customising the MPF - policies. I am very much in need of understand of what is done by each default L3/L4 inspecttion on firewall.

Let me come to point why i am asking , last week you had help me to understand behaviour of sql inspection which resets packet if size / window goes above 16000 & to resovle the issue we need to bypass that particular traffic flow from inspections.

Like that , i would proactively like to know what are significance of each inspect , their own features or capabilities..

inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

Appricaite your help

Regards

Yogesh

Queries on ASA Inspection

Julio Carvajal — Mon, 15 Oct 2012 17:46:17 GMT

Hello Yogesh,

Explain all of them will require a lot of time but I will provide you the fundamentals of why we need them!!

There are several protocols that negotiate via a control channel a data channel ( Like FTP) so the question is, for a firewall how can we open this data channel dynamically without user intervention or configuration?? The answer is by inspecting the control channel protocol.

Other protocols that need to open secondary channels are SIP,h323,etc. So you will need to have their inspection as well.

Know for protocols like TFTP,SMTP, Why do we need them?

This will provide granularity to our firewall rules as the ASA will determine based on RFC standards or custom actions if traffic related to a particular protocol should be allowed or not.

As an example with the esmtp inspection, the ASA will be able to allow some SMTP sessions based on specific commands,etc.

Hope this helps

Any other question..Sure..Just remember to rate all of my answers.

Julio