07-13-2017 02:49 PM - edited 03-12-2019 02:42 AM
Hi, just two quick questions.
We have a L2 ASA on our network and we want to exempt FTP inspection for one specific communication between two devices. I suppose we can just create a new CLASS that matches an ACL with the relevant IP Addresses, and then add that CLASS to the Global Policy and exempt the FTP inspection.
1) Will this config work to exempt FTP inspection?: Just by using another CLASS and the inspection_default?
access-list XY-ACL extended permit ip host X.X.X:X host Y.Y.Y.Y
class-map XY
match access-list XY-ACL
match default-inspection-traffic
policy-map global_policy
class XY
inspect h323 h225
inspect h323 ras
inspect sip
no inspect ftp
...
class inspection_default
inspect h323 h225
inspect h323 ras
inspect sip
inspect ftp
....
2) What impact can we have by modifying the global policy? Will we drop any current TCP connections? Can we do it during business hours? We want to be sure if this change might cause any impact on the operation of the Firewall.
Appreciate any help.
Thanks!!!
Fabio
Solved! Go to Solution.
07-14-2017 01:19 AM
Hi Fabio,
You can create an access-list and match the traffic which you want to inspect, rest everything would be exempted.
policy-map global_policy
class XY
inspect h323 h225
inspect h323 ras
inspect sip
inspect ftp
Secondly, when you change anything on the inspection existing sessions would not be impacted, only the new ones would be subject to the change.
Regards,
Aditya
07-14-2017 01:19 AM
Hi Fabio,
You can create an access-list and match the traffic which you want to inspect, rest everything would be exempted.
policy-map global_policy
class XY
inspect h323 h225
inspect h323 ras
inspect sip
inspect ftp
Secondly, when you change anything on the inspection existing sessions would not be impacted, only the new ones would be subject to the change.
Regards,
Aditya
07-14-2017 07:12 AM
Thanks a lot Aditya.
You say I should create an ACL matching the traffic that I want to inspect. So, is it possible just to do something like this? (denying the traffic I don't want to inspect)
access-list XY-ACL extended deny ip host X.X.X:X host Y.Y.Y.Y
access-list XY-ACL extended deny ip host Y.Y.Y.Y host X.X.X.X
access-list XY-ACL extended permit ip any any
Or do I have to better specify the networks? I'm always confused about ACL deny statements on class-maps.
07-14-2017 08:07 AM
Hi Fabio,
You can either use the deny statements or just match the traffic you want to inspect for FTP.
Either
This would work as well:
access-list XY-ACL extended deny
access-list XY-ACL extended deny
access-list XY-ACL extended permit
Regards,
Aditya
Please mark helpful and correct answers.
11-07-2019 12:59 AM
Thanks for your post. A "clear xlate" should make the changes take effect immediately as this drops all current xlate entries and forces the ASA to rebuild them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide