Solved: Default inspection on ASA 5520 (i.e. telnet)

David Krnjak · ‎06-27-2013

Guys,

I have relatively simple question, my head is in complete blockage and maybe I'm looking at the answer but I just don’t see it.

My ASA has only default inspection configured, nothing customized. What's giving me a hard time is the fact that if I try to open telnet from PC that is connected on the inside interface of ASA with destination of the server connected on the outside interface, this telnet gets established. I tried, it does. So in other way I initiated telnet session and reply packet from outside reached me back, consequently session is established. This is expected, right.

But how did telnet replay reached me? Why? I cannot seems to fined nowhere telnet ports with inspect policy. Can someone explain me where is for instance telnet inspect rule in lower default config?

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html#wp1536127

Topology would be Telnet Server A - - - outside ASA – inside ASA - - - PC telnet client

amatahen · ‎06-27-2013

You need to understand the way firewalls work, and the job of Inspection.

In a nutshell, for traffic initiated from a Trusted to Untrusted zones, traffic is allowed by default, and thanks to the stateful firewall, return traffic will pass through the firewall as well bypassing Outside-Interface Access-List.

-- Need to change this default behavior, you will need to add an Inside interface access-list permitting traffic you want to allow and denying traffic that you want to deny, but you should be careful here since everything not matching this Access-list will be denied.

Inspection process looks at layer 7 payload and you can do filtering based on that, it is usually needed where protocols negotiate a dynamic random ports to continue communication without any interruption from the firewall, in this case, the firewalls sends this traffic (internally) to the inspection engine and it understands the messages that are exchanged between both ends and based on that, it expects which messages should be received and on which communication ports.

Telnet is a TCP protocol that is basic, where clear text gets exchanged, and it communicates on a static predefined port.

HTH

AMATAHEN

View solution in original post

Shaoqin Li · ‎06-27-2013

telent is not inspected and handled as normal tcp traffic

Sent from Cisco Technical Support iPad App

David Krnjak · ‎06-27-2013

I'm actually preparing for CCNA Sec and what I missed is "By default, the ASA enters stateful tracking information about

packets that have been initially allowed through the firewall".

This is different than in ZBF in which stateful inspection is not enabled by default rather you need to explicitly say inspect this and add it to stateful database.

amatahen · ‎06-27-2013