How inspection engines work, C h a p t e r, For a – Cisco ASA 5505 User Manual
Page 865: Chapter 42
C H A P T E R
42-1
Cisco ASA 5500 Series Configuration Guide using the CLI
42
Getting Started with Application Layer Protocol
Inspection
This chapter describes how to configure application layer protocol inspection. Inspection engines are
required for services that embed IP addressing information in the user data packet or that open secondary
channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection
instead of passing the packet through the fast path (see the
“Stateful Inspection Overview” section on
for more information about the fast path). As a result, inspection engines can affect overall
throughput. Several common inspection engines are enabled on the ASA by default, but you might need
to enable others depending on your network.
This chapter includes the following sections:
•
Information about Application Layer Protocol Inspection, page 42-1
•
Guidelines and Limitations, page 42-3
•
•
Configuring Application Layer Protocol Inspection, page 42-6
Information about Application Layer Protocol Inspection
This section includes the following topics:
•
How Inspection Engines Work, page 42-1
•
When to Use Application Protocol Inspection, page 42-2
How Inspection Engines Work
As illustrated in
, the ASA uses three databases for its basic operation:
•
Access lists—Used for authentication and authorization of connections based on specific networks,
hosts, and services (TCP/UDP port numbers).
•
Inspections—Contains a static, predefined set of application-level inspection functions.
•
Connections (XLATE and CONN tables)—Maintains state and other information about each
established connection. This information is used by the Adaptive Security Algorithm and
cut-through proxy to efficiently forward traffic within established sessions.