Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
5
Helpful
3
Replies

inspect on firewall

prashantrecon
Level 1
Level 1

‎12-04-2012 03:00 AM - edited ‎03-11-2019 05:32 PM

Scenario 1

On new  firewall following inspect command are as follows.

Assume there is no access-list on firewall..so now all the traffic related to below protocols will be allowed to flow from

inside to outside as well as outside to inside.

inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ils

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect tftp

  inspect ip-options

  inspect http

Scenario 2

with the above inspect commands i have applied access-list on the outside interface. And i have allowed client vpn ip.

Now my question is now any traffic which is related to above protocol such as http will be allowed or blocked?

from  outside to inside .

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎12-04-2012 05:32 AM

Hi,

The inspect configurations themselves don't generally deny/allow traffic. Some common inspect settings like ftp/icmp make it alot easier to allow the return traffic of the said connections though.

With FTP it helps allowing the Data connection and with ICMP the Echo-reply messages get through without access-list statements.

IF you have not configured no ACLs on the ASA, traffic is allowed always from High Security-level interface to Low Security-level interface. Other way is blocked. As soon as you configure an ACL to one interface you will have to Allow specific traffic that you need to go through the firewall otherwise if no matching rules is found the traffic gets blocked.

Also a connection that has been permitted by the ASA has its return traffic allowed also naturally. This is different from router ACLs where you possibly have to take into account both directions of one connection.

- Jouni

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎12-04-2012 05:39 AM

And also regarding the VPN connections

Generally/By default connections coming through a VPN Client connection to/through the Firewall are always allowed.

This behaviour can be changed with a command. This command will change the operation related to the above and require ACL rules to be made to the Outside interface like with any connection coming through the interface

The command format for newer ASA software is:

  • sysopt connection permit-vpn = Connections coming through VPN bypass outside interface ACL (This command doesnt show on the running-config as its a default setting)

  • no sysopt connection permit-vpn = Connections coming through VPN need ACL rule on the outside interface ACL

- Jouni

0 Helpful

prashantrecon
Level 1
Level 1
In response to Jouni Forss

‎12-04-2012 10:37 AM

Thanks jouni,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card