Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1229
Views
5
Helpful
2
Replies

Inpsection on ASA

ThinhNguyenPhu7498
Level 1
Level 1

‎05-16-2019 07:51 PM

Hello everyone,

 

I have a question about Inspection on ASA :

- I have 2 router connected to 2 inside interface of ASA (R1 connected to inside1 and R2 connected to inside2)

- Inside 1 have security level of 100 & Inside 2 have security level of 80

- Then I create an access-list as below :

access-list inspect_traffic_from_1_to_2 extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
class-map inspection_default
   match access-list inspect_traffic_from_1_to_2

My question is : why R1 can SSH to R2, without inspect SSH in global_policy

 

Thank you so much!

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-16-2019 08:24 PM

Without seeing your complete configuration, it is hard to say.

Based on what you have shared, inside 1 hosts would be able to initiate communications to inside 2 hosts because traffic is allowed from higher security (inside 1 = 100) to lower security (inside 2 = 80) interfaces by default. Whether or not you inspect (mainly used to verify protocol conformance for supported protocols) has nothing to do with that behavior.

 

0 Helpful

johnd2310
Level 8
Level 8

‎05-16-2019 08:26 PM

Hi,

 

The inspection engines in the Global_Policy are for applications that embed ip addresses in the user data packet or open secondary channels. Ssh does not do embed ip addresses nor does it open secondary channels. Therefore, ssh does not need an inspection engine(i.e. deep packet inspection)

 

Thanks

John

**Please rate posts you find helpful**
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card