02-07-2014 03:23 AM - edited 03-11-2019 08:41 PM
Dear All, I saw below default configuration showed in my new 5505 and 5515 ASA. May i know what is the function of those configuration and does it command affecting of my ASA firewall?
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
Solved! Go to Solution.
02-07-2014 03:54 AM
Hi,
To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.
The most common ones in constant use would probably be (for me atleast)
For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide
Here is a link to the Command Reference and the different "inspect" commands
http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html
Here is a section in the Configuration Guide about inspections
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html
I have not even fully read them myself.
Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.
- Jouni
02-07-2014 03:54 AM
Hi,
To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.
The most common ones in constant use would probably be (for me atleast)
For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide
Here is a link to the Command Reference and the different "inspect" commands
http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html
Here is a section in the Configuration Guide about inspections
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html
I have not even fully read them myself.
Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.
- Jouni
02-07-2014 10:52 PM
Thx Jouni
So, do we need "inspect http", i saw most of the ASA did not have "inspect http". I think this is also important, am I correct?
02-09-2014 09:37 PM
hi,
to my knowledge, HTTP inspection is disabled by default.
you can enable it under global policy if needed.
class inspection_default
inspect http
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide