Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
490
Views
0
Helpful
1
Replies

ASA inspection question

robbo79871
Level 1
Level 1

‎03-24-2018 11:43 PM - edited ‎02-21-2020 07:33 AM

i want to make sure i get this because it's driving me a bit mad.

class-map ftp

 match port tcp eq 21

class-map http

 match port tcp eq 21 [it should be 80]

policy-map test

 class ftp

  inspect ftp

 class http

   inspect http

This example on Cisco's site, they say " traffic destined to port 21 is mistakenly configured for both FTP and HTTP inspection ". So does that mean that the firewall creates a dynamic ACL for HTTP but how does that work with the destination port being port 21? This really confused me.

I'm assuming also that the purpose of the "inspect" command is to create a dynamic ACL or an exception in the firewall to all the traffic back into the network?

Again, i know it's a misconfiguration off Cisco site done on purpose to show what a misconfig looks like in regards to the inspect command and they say " traffic destined to port 21 is mistakenly configured for both FTP and HTTP inspection "

If an FTP packet was received on port 21, that would trigger both class-maps, does the ASA then create a dynamic ACL for both scr and dst addresses on ports 21 and 80? That would seem logical to me but i'm not sure.

 

Also, doesn't a global service policy being applied on every interface or a service policy on the outside interface mean that traffic coming into the outside interface from the internet is applicable for that same inspection? Technically it does doesn't it? So what's to stop you from having either the service policy globally applied or applied to the outside then a packet comes into the outside interface with the outside IP as the destination IP with the destination port as 80 and then it being allowed in through inspection?

Zone pairs on normal Cisco routers made more sense to me (they aren't possible on the ASA are they?) because you could join together your interfaces and give them polices instead of having to assign the service policy an interface on the ASA, how does this work and still made secure?

 

Would you apply the service policy on the inside interface instead?

 

Would the traffic still be allowed back in even when the traffic comes back and reaches the outside interface, is there a dynamic ACL which has the users source ip (private IP) and the destination ip (public ip) in the ASA that is used after the retranslation has been done?

 

One more question, does an ACL on an outside interface "out rank" an inspection policy applied to an outside interface where the traffic is allowed through inspection but an ACL clashes with it, does the packet get stopped?

 

Thanks again

 

Cheers

Labels:
0 Helpful
1 Reply 1

Dennis Mink
VIP Alumni
VIP Alumni

‎03-25-2018 03:23 AM

ftp inspection takes place AFTER it is allowed through by an ACL. All ftp inspection does is to cater for the crooked way FTP works, namely use port 21 then port 20 for the actual data tranfer.

 

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card