Application Inspection on the ASA

One of the key areas for the Cisco ASA is giving us great control when it comes to ensuring applications running across the device are not trying to do us harm. This is implemented, of course, with Application Inspection. This permits us to only examine the packet header, but also the contents of the packet right up to Layer 7.


Another nice thing is the fact that the ASA is trained to deal with applications that require special handling. Examples would be the handling of data packets that embed IP addressing information in the data payload, or that open up secondary channels on dynamically assigned ports.

The list of applications supported is impressive and continues to grow. Here are just some:

  • HTTP
  • FTP
  • IM
  • H.323
  • TFTP
  • SIP
  • DNS

Application Inspection is enabled and tweaked through the use of the Modular Policy Framework (MPF). Remember, this follows the general structure of a traffic class to identify traffic (class-map), actions assigned with policies (policy-map), and then the service policies activated on interfaces (service-policy).

Remember, the ASA is setup for some Application Inspection right out of the box.  You can see this with the default class-map of inspection_default, the policy-map of global_policy, and the service-policy globally assigned.

Here is a look at these default structures. Note this shows you which specific protocols are being inspected by default on all interfaces:

class-map inspection_default
   match default-inspection-traffic
policy-map type inspect dns preset_dns_map
       message-length maximum 512
policy-map global_policy
   class inspection_default
       inspect dns preset_dns_map
       inspect ftp
       inspect h323 h225 
       inspect h323 ras
       inspect ip-options
       inspect rsh
       inspect rtsp
       inspect esmtp
       inspect sqlnet
       inspect skinny
       inspect sunrpc
       inspect xdmcp
       inspect sip
       inspect netbios
       inspect tftp
service-policy global_policy global

At your fingertips is your own manipulation of Application Inspection on the ASA. In this example of HTTP inspection, we selectively inspect HTTP traffic to our Web server, spoof that our server is an Apache Server, reset connections with a long header length, and guard against DoS attacks:

access-list OUT_IN extended permit tcp any host eq www
access-group OUT_IN in interface outside
access-list AHTTP permit tcp any host eq www
class-map CHTTP
   match access-list AHTTP
policy-map type inspect http PDHTTP
      spoof-server "Apache Server"
      match request header length gt 4096
policy-map POUTSIDE
   class CHTTP
      inspect http PDHTTP
      set connection conn-max 2 embryonic-conn-max 1
service-policy POUTSIDE interface outside

Leave a Reply

Your email address will not be published. Required fields are marked *