Skip navigation
Login   |   Register
Cisco Learning Home > CCIE Security Study Group > Discussions
3533 Views 1 Reply Latest reply: Mar 5, 2011 5:20 AM by Paul Stewart - CCIE Security RSS

Currently Being Moderated

ASA default inspection

Mar 5, 2011 4:14 AM

Hi  All,

  Does an ASA inspect all TCP/UDP by default and only for ICMP we need to add the inspection rule? Or it just inspects the protocols listed in the defualt inspection list here. I'm pretty sure it inspects http,rdp etc,. which is not here in this list. So what does this list actually indicate. Also, the inspect-dns policy map...does it only inspect dns packets less than 512B?

Also what do we mean by "default-inspection-traffic" ?

 

 

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. Mar 5, 2011 5:20 AM (in response to vikram parmar)
    Re: ASA default inspection

    The ASA inspects TCP and UDP as well as the upper layer protocols in the list.  So TCP/UDP inspection is at least one layer below all of the protocols in inspection_default.  Many of those protocols have special needs or concerns so are enabled by default, but are also listed.  TCP can be set not to inspection by configuring TCP pass-thru.

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)