10-20-2011 08:21 AM - edited 03-11-2019 02:40 PM
Hi,
I am a complete newbie to the world of Cisco firewalls. My company is moving from another firewall vendor to a Cisco ASA 5520. I am now trying to teach myself Cisco IOS and ASA 5520 administration skills. I'm going through a Cisco Press ASA book as well as the available ASA 5500 Series Config Guides.
I am trying to figure out the purpose of Application Inspection. For example the ASA 5500 Series Configuration Guide has this example:
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056
hostname(config)# class-map new_inspection
hostname(config-cmap)# match access-list ftp_inspect
If I am reading this correctly this would set up an ACL with two ACEs. One to permit traffic from any source to any destination on port 21. THe next ACE allows traffic on port 1056. It then creates a new class-map called new_inspection and associates that class map with the ACL.
But what will this do? What is the purpose of setting up the class map?
Any information greatly appreciated.
Thanks,
Dan
10-20-2011 08:56 AM
Hi Dan,
You just have got half the picture, whenever you create calss-map, you are just identifying the traffic on which action needs to be taken. The access-list that you see is just to match the traffic not to allow or deny the traffic. This is a part of creating a policy on the ASA, you first create an ACL, match the ACL in the class-map, call the class-map in the policy-map and apply the policy on ASA interfaces.
This is the main differenec between a firewall and other devices like routers and switches. Firewall does a stateful inspection of the packets for a specific traffic defined in these policies. Which it means is, the ASA inpection engine is required for services that embed sip in the data packets so that the ASA is able to identify correctly that it is a part of a legit connection or for applications that open a secondary data channel for communication, like passive ftp.
Policy framework on ASA is also used for other things like tcp-maps and tcp state bypass (if you do not want the firewall to chcek the state of the packet and other similar things).
Difficult for me to summarize everything here, so I would suggest you to start from basics in these docs:
Security policy overview:
http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/intro.html#wp1044387
Hope that helps.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide