Introduction: This document describes the process of bypassing an inspect.
Prerequisites:
1. FWSM/ASA
2. FWSM 3.X/PIX or ASA 7.X and above
Sample
This is just a quick example of how to bypass an inspect using the modular policy framework for the ASA/FWSM 3.X/PIX 7.X and above
access-list acl_skinny_inspect deny tcp host 10.10.10.1 any eq 2000
access-list acl_skinny_inspect permit tcp any any eq 2000
!
class-map inspect_skinny
match access-list acl_skinny_inspect
!
policy-map global_policy
class inspection_default
no inspect skinny
class-map inspect_skinny
inspect skinny
service-policy global_policy global
The above example will allow the skinny inspect to be bypasses on port 2000 for host 10.10.10.1
A quick way to see what traffic inspections are enabled for in the inspection_default class is to run the command like below:
ASA# conf t
ASA(config)# class-map inspection_default
ASA(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
ASA(config-cmap)#
Show Command To Verfiy
ciscoasa# sh service-policy
Global policy:
Service-policy: global_policy
Class-map: inspect_skinny
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Hence with this command you can verify on how many packets are dropped, reset-drop etc.
Hope this quick sample is informative and helpful.