cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

856
Views
10
Helpful
4
Replies
Highlighted

Modifying ASA Global Policy - FTP Inspection -Impact

Hi, just two quick questions.

We have a L2 ASA on our network and we want to exempt FTP inspection for one specific communication between two devices. I suppose we can just create a new CLASS that matches an ACL with the relevant IP Addresses, and then add that CLASS to the Global Policy and exempt the FTP inspection.

1) Will this config work to exempt FTP inspection?: Just by using another CLASS and the inspection_default?

access-list XY-ACL extended permit ip host X.X.X:X host Y.Y.Y.Y

class-map XY
 match access-list XY-ACL
 match default-inspection-traffic

policy-map global_policy
 class XY
  inspect h323 h225
  inspect h323 ras
  inspect sip
  no inspect ftp
   ...
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ftp

....

2) What impact can we have by modifying the global policy? Will we drop any current TCP connections? Can we do it during business hours? We want to be sure if this change might cause any impact on the operation of the Firewall.

Appreciate any help.

Thanks!!!

Fabio

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Fabio,

You can create an access-list and match the traffic which you want to inspect, rest everything would be exempted.

policy-map global_policy
 class XY
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ftp

Secondly, when you change anything on the inspection existing sessions would not be impacted, only the new ones would be subject to the change.

Regards,

Aditya

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi Fabio,

You can create an access-list and match the traffic which you want to inspect, rest everything would be exempted.

policy-map global_policy
 class XY
  inspect h323 h225
  inspect h323 ras
  inspect sip
  inspect ftp

Secondly, when you change anything on the inspection existing sessions would not be impacted, only the new ones would be subject to the change.

Regards,

Aditya

View solution in original post

Highlighted

Thanks a lot Aditya.

You say I should create an ACL matching the traffic that I want to inspect. So, is it possible just to do something like this? (denying the traffic I don't want to inspect)

access-list XY-ACL extended deny ip host X.X.X:X host Y.Y.Y.Y

access-list XY-ACL extended deny ip host Y.Y.Y.Y host X.X.X.X

access-list XY-ACL extended permit ip any any

Or do I have to better specify the networks? I'm always confused about ACL deny statements on class-maps.

Highlighted

Hi Fabio,

You can either use the deny statements or just match the traffic you want to inspect for FTP.

Either way it should work.

This would work as well:

access-list XY-ACL extended deny ip host X.X.X:X host Y.Y.Y.Y

access-list XY-ACL extended deny ip host Y.Y.Y.Y host X.X.X.X

access-list XY-ACL extended permit ip any any

Regards,

Aditya

Please mark helpful and correct answers.

Highlighted

Thanks for your post. A "clear xlate" should make the changes take effect immediately as this drops all current xlate entries and forces the ASA to rebuild them.

Content for Community-Ad