Showing results for 
Search instead for 
Did you mean: 

How to bypass an application inspection using Modular Policy Framework for specific hosts on the network


Introduction: This document describes the process of bypassing an inspect.


1.       FWSM/ASA

2.       FWSM 3.X/PIX or ASA 7.X and above


This is just a quick example of how to bypass an inspect using the modular policy framework for the ASA/FWSM 3.X/PIX 7.X and above

access-list acl_skinny_inspect deny tcp host any eq 2000

access-list acl_skinny_inspect permit tcp any any eq 2000


class-map inspect_skinny

match access-list acl_skinny_inspect


policy-map global_policy

class inspection_default

  no inspect skinny

class-map inspect_skinny 

  inspect skinny

service-policy global_policy global

The above example will allow the skinny inspect to be bypasses on port 2000 for host

A quick way to see what traffic inspections are enabled for in the inspection_default class is to run the command like below:

ASA# conf t

ASA(config)# class-map inspection_default

ASA(config-cmap)# match ?

mpf-class-map mode commands/options:

  access-list                 Match an Access List

  any                         Match any packet

  default-inspection-traffic  Match default inspection traffic:

                              ctiqbe----tcp--2748      dns-------udp--53      

                              ftp-------tcp--21        gtp-------udp--2123,3386

                              h323-h225-tcp--1720      h323-ras--udp--1718-1719

                              http------tcp--80        icmp------icmp         

                              ils-------tcp--389       ip-options-----rsvp    

                              mgcp------udp--2427,2727 netbios---udp--137-138 

                              radius-acct----udp--1646 rpc-------udp--111     

                              rsh-------tcp--514       rtsp------tcp--554     

                              sip-------tcp--5060      sip-------udp--5060    

                              skinny----tcp--2000      smtp------tcp--25      

                              sqlnet----tcp--1521      tftp------udp--69      

                              waas------tcp--1-65535   xdmcp-----udp--177     

  dscp                        Match IP DSCP (DiffServ CodePoints)

  flow                        Flow based Policy

  port                        Match TCP/UDP port(s)

  precedence                  Match IP precedence

  rtp                         Match RTP port numbers

  tunnel-group                Match a Tunnel Group


Show Command To Verfiy

ciscoasa# sh service-policy

Global policy:

  Service-policy: global_policy

Class-map: inspect_skinny

      Inspect: skinny , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0

Hence with this command you can verify on how many packets are dropped, reset-drop etc.

Hope this quick sample is informative and helpful.

Recognize Your Peers
Content for Community-Ad