Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8618
Views
20
Helpful
4
Replies

How to modify default ASA inspection policy on FTD image

p-natarajan
Level 1
Level 1

‎09-27-2016 07:00 PM - edited ‎02-21-2020 05:55 AM

Hello,

I am migrating ASA5512 from ASA image to FTD 6.0.1 image. Only Access control policy (no inspection policies in Firepower Management center)

using the diagnostic cli, notice inspection of h323 and sip which is default in ASA (see output below). Looking for a way to disable the inspections for h323 and sip in the global_policy. any one know how to do it, since our applications require h323 and sip inspections to be disabled

Thanks


> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

firepower> en
Password:
firepower# sh run
: Saved

: Hardware:   ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
NGFW Version 6.0.1

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect dcerpc
!
service-policy global_policy global

1 person had this problem
0 Helpful
4 Replies 4

Ralph Rye
Level 1
Level 1

‎10-03-2016 09:58 PM

You will need to have TAC disable SIP or any other inspection.  They have a method to access a read/write LINA CLI.

BTW, there is a SIP inspection bug in FTD 6.1 / ASA 9.6.2 with failover that will cause a crash on FTD.

-Ralph

0 Helpful

Shaun Muller
Cisco Employee
Cisco Employee

‎04-05-2017 11:57 AM

can be done using the following at the > prompt

> configure inspection h323_h225 disable

Building configuration...

Cryptochecksum: 62645f43 73cf77ed aebb650c d92de394

4372 bytes copied in 0.290 secs

[OK]

jai_chandra2001
Level 1
Level 1
In response to Shaun Muller

‎06-16-2017 03:42 PM

Thanks Shaun,

I was able to disable the inspection on FTD 4120 v6.1.0.2. 

SSH into the 4120

>connect ftd

>configure inspection h323_h225 disable

and tested it with Avaya phones, it worked. Command automatically replicated to the standby unit as well without having the FMC re-deploy the configuration.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-05-2017 08:52 PM

The user ability to do as Shawn suggests is known as FlexConfig - a feature that was added in 6.2

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card