Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
10437
Views
15
Helpful
0
Comments

How to bypass an application inspection using Modular Policy Framework for specific hosts on the network

athukral
Level 1
Level 1

‎03-30-2011 01:00 AM - edited ‎03-08-2019 06:40 PM

Introduction: This document describes the process of bypassing an inspect.

Prerequisites: 

1.       FWSM/ASA

2.       FWSM 3.X/PIX or ASA 7.X and above

Sample


This is just a quick example of how to bypass an inspect using the modular policy framework for the ASA/FWSM 3.X/PIX 7.X and above

access-list acl_skinny_inspect deny tcp host 10.10.10.1 any eq 2000

access-list acl_skinny_inspect permit tcp any any eq 2000

!

class-map inspect_skinny

match access-list acl_skinny_inspect

!

policy-map global_policy

class inspection_default

  no inspect skinny

class-map inspect_skinny 

  inspect skinny

service-policy global_policy global

The above example will allow the skinny inspect to be bypasses on port 2000 for host 10.10.10.1

A quick way to see what traffic inspections are enabled for in the inspection_default class is to run the command like below:

ASA# conf t

ASA(config)# class-map inspection_default

ASA(config-cmap)# match ?

mpf-class-map mode commands/options:

  access-list                 Match an Access List

  any                         Match any packet

  default-inspection-traffic  Match default inspection traffic:

                              ctiqbe----tcp--2748      dns-------udp--53      

                              ftp-------tcp--21        gtp-------udp--2123,3386

                              h323-h225-tcp--1720      h323-ras--udp--1718-1719

                              http------tcp--80        icmp------icmp         

                              ils-------tcp--389       ip-options-----rsvp    

                              mgcp------udp--2427,2727 netbios---udp--137-138 

                              radius-acct----udp--1646 rpc-------udp--111     

                              rsh-------tcp--514       rtsp------tcp--554     

                              sip-------tcp--5060      sip-------udp--5060    

                              skinny----tcp--2000      smtp------tcp--25      

                              sqlnet----tcp--1521      tftp------udp--69      

                              waas------tcp--1-65535   xdmcp-----udp--177     

  dscp                        Match IP DSCP (DiffServ CodePoints)

  flow                        Flow based Policy

  port                        Match TCP/UDP port(s)

  precedence                  Match IP precedence

  rtp                         Match RTP port numbers

  tunnel-group                Match a Tunnel Group

ASA(config-cmap)#

Show Command To Verfiy

ciscoasa# sh service-policy

Global policy:

  Service-policy: global_policy

Class-map: inspect_skinny

      Inspect: skinny , packet 0, drop 0, reset-drop 0

               tcp-proxy: bytes in buffer 0, bytes dropped 0



Hence with this command you can verify on how many packets are dropped, reset-drop etc.



Hope this quick sample is informative and helpful.

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents