Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
1
Replies

ASA 5520 Application Inspection: purpose?

dan
Level 1
Level 1

‎10-20-2011 08:21 AM - edited ‎03-11-2019 02:40 PM

Hi,

I am a complete newbie to the world of Cisco firewalls. My company is moving from another firewall vendor to a Cisco ASA 5520. I am now trying to teach myself Cisco IOS and ASA 5520 administration skills. I'm going through a Cisco Press ASA book as well as the available ASA 5500 Series Config Guides.

I am trying to figure out the purpose of Application Inspection. For example the ASA 5500 Series Configuration Guide has this example:

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056

hostname(config)# class-map new_inspection

hostname(config-cmap)# match access-list ftp_inspect

If I am reading this correctly this would set up an ACL with two ACEs. One to permit traffic from any source to any destination on port 21. THe next ACE allows traffic on port 1056. It then creates a new class-map called new_inspection and associates that class map with the ACL.

But what will this do? What is the purpose of setting up the class map?

Any information greatly appreciated.

Thanks,

Dan

Labels:
0 Helpful
1 Reply 1

varrao
Level 10
Level 10

‎10-20-2011 08:56 AM

Hi Dan,

You just have got half the picture, whenever you create calss-map, you are just identifying the traffic on which action needs to be taken. The access-list that you see is just to match the traffic not to allow or deny the traffic. This is a part of creating a policy on the ASA, you first create an ACL, match the ACL in the class-map, call the class-map in the policy-map and apply the policy on ASA interfaces.

This is the main differenec between a firewall and other devices like routers and switches. Firewall does a stateful inspection of the packets for a specific traffic defined in these policies. Which it means is, the ASA inpection engine is required for services that embed sip in the data packets so that the ASA is able to identify correctly that it is a part of a legit connection or for applications that open a secondary data channel for communication, like passive ftp.

Policy framework on ASA is also used for other things like tcp-maps and tcp state bypass (if you do not want the firewall to chcek the state of the packet and other similar things).

Difficult for me to summarize everything here, so I would suggest you to start from basics in these docs:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/inspect_overview.html

Security policy overview:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/configuration/guide/intro.html#wp1044387

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card