When to use application protocol inspection, Figure 42-1 – Cisco ASA 5505 User Manual

Page 866

Advertising
background image

42-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 42 Getting Started with Application Layer Protocol Inspection

Information about Application Layer Protocol Inspection

Figure 42-1

How Inspection Engines Work

In

Figure 42-1

, operations are numbered in the order they occur, and are described as follows:

1.

A TCP SYN packet arrives at the ASA to establish a new connection.

2.

The ASA checks the access list database to determine if the connection is permitted.

3.

The ASA creates a new entry in the connection database (XLATE and CONN tables).

4.

The ASA checks the Inspections database to determine if the connection requires application-level
inspection.

5.

After the application inspection engine completes any required operations for the packet, the ASA
forwards the packet to the destination system.

6.

The destination system responds to the initial request.

7.

The ASA receives the reply packet, looks up the connection in the connection database, and
forwards the packet because it belongs to an established session.

The default configuration of the ASA includes a set of application inspection entries that associate
supported protocols with specific TCP or UDP port numbers and that identify any special handling
required.

When to Use Application Protocol Inspection

When a user establishes a connection, the ASA checks the packet against access lists, creates an address
translation, and creates an entry for the session in the fast path, so that further packets can bypass
time-consuming checks. However, the fast path relies on predictable port numbers and does not perform
address translations inside a packet.

Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers.

Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the ASA.

If you use applications like these, then you need to enable application inspection.

132875

1

7

6

5

2

3

4

Client

ACL

XLATE

CONN

Inspection

Server

ASA

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals