cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10583
Views
15
Helpful
0
Comments
athukral
Level 1
Level 1

Introduction: This document describes the process of bypassing an inspect.

Prerequisites: 

1.       FWSM/ASA

2.       FWSM 3.X/PIX or ASA 7.X and above

Sample


This is just a quick example of how to bypass an inspect using the modular policy framework for the ASA/FWSM 3.X/PIX 7.X and above

access-list acl_skinny_inspect deny tcp host 10.10.10.1 any eq 2000

access-list acl_skinny_inspect permit tcp any any eq 2000

!

class-map inspect_skinny

match access-list acl_skinny_inspect

!

policy-map global_policy

class inspection_default

  no inspect skinny

class-map inspect_skinny 

  inspect skinny

service-policy global_policy global

The above example will allow the skinny inspect to be bypasses on port 2000 for host 10.10.10.1

A quick way to see what traffic inspections are enabled for in the inspection_default class is to run the command like below:

ASA# conf t

ASA(config)# class-map inspection_default

ASA(config-cmap)# match ?

mpf-class-map mode commands/options:

  access-list                 Match an Access List

  any                         Match any packet

  default-inspection-traffic  Match default inspection traffic:

                              ctiqbe----tcp--2748      dns-------udp--53      

                              ftp-------tcp--21        gtp-------udp--2123,3386

                              h323-h225-tcp--1720      h323-ras--udp--1718-1719

                              http------tcp--80        icmp------icmp         

                              ils-------tcp--389       ip-options-----rsvp    

                              mgcp------udp--2427,2727 netbios---udp--137-138 

                              radius-acct----udp--1646 rpc-------udp--111     

                              rsh-------tcp--514       rtsp------tcp--554     

                              sip-------tcp--5060      sip-------udp--5060    

                              skinny----tcp--2000      smtp------tcp--25      

                              sqlnet----tcp--1521      tftp------udp--69      

                              waas------tcp--1-65535   xdmcp-----udp--177     

  dscp                        Match IP DSCP (DiffServ CodePoints)

  flow                        Flow based Policy

  port                        Match TCP/UDP port(s)

  precedence                  Match IP precedence

  rtp                         Match RTP port numbers

  tunnel-group                Match a Tunnel Group

ASA(config-cmap)#

Show Command To Verfiy

ciscoasa# sh service-policy

Global policy:

  Service-policy: global_policy

Class-map: inspect_skinny

      Inspect: skinny , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0



Hence with this command you can verify on how many packets are dropped, reset-drop etc.



Hope this quick sample is informative and helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: