Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
4
Replies

Protocols allowed to pass ASA

Go to solution
mahesh18
Level 6
Level 6

‎10-24-2012 01:41 PM - edited ‎03-11-2019 05:13 PM

Hi Everyone,

Need to know how can we tell from sh run config that what protocols are allowed means ASA is not doing any inspection

on them or we can say it is not blocking -    when traffic passes through the ASA?

Also is there any command which we can use from CLI to check this?

Thanks

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-24-2012 01:57 PM

Hello Mahesh,

You have different options

Run a packet-tracer will definelty let you know all the traffic rules that a particular flow takes.

packet-tracer input interface_name_if tcp/udp source_ip source_port destination_ip destination_port

Or just by checking inspection policies, ACL's, Nat rules.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-24-2012 02:39 PM

Hello,

That means that if ICMP connection  is allowed on 'X" interface the returning traffic will be allowed because of the inspection ( session will be on the connection table of the ASA)

policy-map global_policy  ---  does it mean that it applies  to whole ASA  traffic ?

No, that is just the name of the policy.

The command that defines where to set this up is the service-policy and ofcourse a global means all over the interfaces.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-24-2012 01:57 PM

Hello Mahesh,

You have different options

Run a packet-tracer will definelty let you know all the traffic rules that a particular flow takes.

packet-tracer input interface_name_if tcp/udp source_ip source_port destination_ip destination_port

Or just by checking inspection policies, ACL's, Nat rules.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎10-24-2012 02:19 PM

Hi Julio,

If sh run shows following configuration

case1

policy-map global_policy

class inspection_default

  inspect icmp ***************************************

service-policy global_policy global

Does inspect icmp  here means that allow icmp if ping is sourced from inside of the network?

Need to know the exact purpose of inspect command in ASA config???

policy-map global_policy  ---  does it mean that it applies  to whole ASA  traffic ?

******************************************************************************************************************

service-policy global_policy global ----Purpose of this command?

Thanks

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎10-24-2012 02:39 PM

Hello,

That means that if ICMP connection  is allowed on 'X" interface the returning traffic will be allowed because of the inspection ( session will be on the connection table of the ASA)

policy-map global_policy  ---  does it mean that it applies  to whole ASA  traffic ?

No, that is just the name of the policy.

The command that defines where to set this up is the service-policy and ofcourse a global means all over the interfaces.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎10-24-2012 07:12 PM

Hi Julio,

Many Thanks again

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card