Cisco ASA 5505 Configuration Manual page 780
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Information about Application Layer Protocol Inspection
Figure 36-1
Client
In
Figure
1.
2.
3.
4.
5.
6.
7.
The default configuration of the adaptive security appliance includes a set of application inspection
entries that associate supported protocols with specific TCP or UDP port numbers and that identify any
special handling required.
When to Use Application Protocol Inspection
When a user establishes a connection, the adaptive security appliance checks the packet against access
lists, creates an address translation, and creates an entry for the session in the fast path, so that further
packets can bypass time-consuming checks. However, the fast path relies on predictable port numbers
and does not perform address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the adaptive security appliance.
Cisco ASA 5500 Series Configuration Guide using ASDM
36-2
How Inspection Engines Work
2
ASA
1
7
3
XLATE
CONN
36-1, operations are numbered in the order they occur, and are described as follows:
A TCP SYN packet arrives at the adaptive security appliance to establish a new connection.
The adaptive security appliance checks the access list database to determine if the connection is
permitted.
The adaptive security appliance creates a new entry in the connection database (XLATE and CONN
tables).
The adaptive security appliance checks the Inspections database to determine if the connection
requires application-level inspection.
After the application inspection engine completes any required operations for the packet, the
adaptive security appliance forwards the packet to the destination system.
The destination system responds to the initial request.
The adaptive security appliance receives the reply packet, looks up the connection in the connection
database, and forwards the packet because it belongs to an established session.
Chapter 36
Getting Started With Application Layer Protocol Inspection
ACL
6
5
Server
4
Inspection
OL-20339-01
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
