Solved: ASA IOS 8.3 policy order-- 1. NAT, then...2. ACL, then... 3. ?

May you please also explain the "third policy rule"-- It has to do with "nested" "or "conditional" (or something like that). It has to do with NAT or PAT translations. What is the name of this 3rd rule? What is the priority order of this 3rd rule? (It might be in the link from the text Cisco ASA Software Version 8.3 and later, but the link refers to many hundreds of pages of text.)

From your link-- "Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality."-- What is the command to remove this "inspection engine"?

Thank you.

MHM Cisco World · ‎02-13-2023

why you want to remove inspection engine ??

jmaxwellUSAF · ‎02-13-2023

troubleshooting.

MHM Cisco World · ‎02-13-2023

How to bypass an application inspection using Modular Policy Framework for specific hosts on the net... - Cisco Community

you cant disable inspection but you can bypass it.

balaji.bandi · ‎02-14-2023

Not sure you can to packet tracer see what is happening if you have ASA 8.3 code, I stopped using that code more than 10 years now.

check this another view :

What is the command to remove this "inspection engine"? - the mode you mentioned does not have IPS module like SFR, are you looking to policy inspect ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jmaxwellUSAF · ‎02-14-2023

The data on this thread is invaluable. Thank you all.

This ASA has a long config. What is the best way to policy inspect?

Also, please see image attached. If the packet is dropped because of IPS module fail, then what command will show that packet was dropped? (#show asp drop , #{other command} ?)

balaji.bandi · ‎02-14-2023

Not like re-invent the wheel you can find many documents around for the best practice is based on the organisation's requirement.

https://community.cisco.com/t5/network-security/traffic-inspection-best-practices/td-p/1932294

the best practice is you need to be up to the level of security patches to meet first, so start from ASA 8.3 decade back end of life, so there are lot more security holes in that, before we consider best practice, make sure we are up to date.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-14-2023

show asp drop <<- this good indication

asa# show service-policy inspect <<protocol inspect>> 

Global policy: 
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 0, lock fail 0, drop 0, reset-drop 0, 
5-min-pkt-rate 0 pkts/sec, v6-fail-close 0
        message-length maximum client auto, drop 0
        message-length maximum 512, drop 0
        dns-guard, count 0
        protocol-enforcement, drop 0
        nat-rewrite, count 0