topic Re: Why inspect command is disable by default on PIX 7.x in Network Security

Why inspect command is disable by default on PIX 7.x

snakayama — Mon, 11 Mar 2019 10:22:20 GMT

Hi everyone,

I have a question about fixup (PIX 6.x) and inspect (PIX 7.x) command because our customer asked us the following question;

- why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x ?

and

- Do we have to configure inspect command explicitly even if it is disabled by default ?

however I can not clear it. So I posted this question here.

In PIX 7.0, the fixup command has been deprecated and replaced with the inspect command under the Modular Policy Framework (MPF) infrastructure.

I understand that In PIX 6.x, fixup command is enabled by default, however In ASA 7.2, inspect and fixup command are disabled by default. Why I say so is when I configured brand new ASA 5500 version 7.2, I could not find the following MPF commands related to application inspection from the output of show runn command on ASA 7.2.

class-map xxxx

policy-map yyyy

class xxxx

inspect "protocol"

Please note that I think that the Firewall service of ASA 7.2 is the same as the one of PIX 7.x.

So I assume that inspect command is disabled by default also on PIX 7.x.

Unfortunately, I can not prepare PIX 7.x and can not confirm whether inspect command is enabled or disabled by default on PIX 7.x.

I think why inspect command replaced from fixup command is disabled by default on ASA 7.2/PIX 7.x is due to the following reasons.

- Allows Selective application control based on MPF infrastructure

- Allows to configure Firewall/QoS policy per interface basis whereas fixup command could be configured globally

And I think we should or we have to configure necessary inspect command to do application inspect, though it is disabled by default and it may differ according to the application used.

Is my idea suitable ?

Your any comment would be appreciated.

Best regards,

Re: Why inspect command is disable by default on PIX 7.x

cpembleton — Wed, 30 May 2007 11:30:04 GMT

The default for 7.x is for a basic global

inspection policy to be turned on. Although I have seen some Cisco gear shipped with a different config then the normal default. There is a way to get the actual default config.

-Backup current config

-write erase

-conf t

-clear config all

If you don't see any inspection policy configured then it is off.

Application inspection guide:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080640337.html

This should be the default:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Thanks,

Chad

Please rate if helpful.

Re: Why inspect command is disable by default on PIX 7.x

srue — Wed, 30 May 2007 14:46:41 GMT

i just wanted to add a note to this thread...

i'm not sure what the difference is between factory shipped v/s default configuration...

'factory shipped' configuration is easy enough to understand, but is that the default configuration?

if I do a "wr erase" in 7.x and reboot, i have no inpsect commands, so is that the default?

Re: Why inspect command is disable by default on PIX 7.x

cpembleton — Wed, 30 May 2007 15:07:59 GMT

According to the Cisco doc the default includes a global inspection policy.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a0080640337.html#wp1383691

However, the last few devices I have bought came with a different config then the actual default. And when I erased that I had what should be the default.

I have a test pix running 7.x and I will see what that has as the default.

Thanks,

Chad

Re: Why inspect command is disable by default on PIX 7.x

cpembleton — Thu, 31 May 2007 11:57:33 GMT

I did a wr erase. Rebooted and said no to the automated prompts. I attached the default config which includes the default global inspection policy.

Thanks,

Chad

Re: Why inspect command is disable by default on PIX 7.x

snakayama — Fri, 01 Jun 2007 03:22:45 GMT

Hi,

Thank you very much for your reply and lab work.

I have also tested in my lab with PIX 7.2.2 and ASA 7.2.2. And I got the same result on PIX and ASA as you.

I executed "write erase" command on PIX 7.2.2 and ASA 7.2.2 to get them backed to default configuration and then rebooted them. The following is the result of "sh runn" command after rebooted.

----------

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

----------

Next I executed "clear config all" at configuration mode on both and then confirmed whether inspect command enabled (appeared) from "sh runn" command.

The result was the same as above, because "clear config all" command get running-config backed to factory shipped configuration not startup-config.

However brand new ASA 7.2.2 does not enable inspect command.

I do not know why factory shipped configuration (brand-new configuration) and default configuration are different about the inspect command, however I could understand what kind of case make the inspect command enabled.

Thank you very much for your assistance.

Best regards,

Re: Why inspect command is disable by default on PIX 7.x

PAUL GILBERT ARIAS — Sat, 29 May 2010 03:11:34 GMT

The command "clear configure fixup" will bring back the FPM. Try that.