Application Inspection; Use Case: Expose A Server To The Public - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Application Inspection
Application inspection engines are required for services that embed IP addressing information in the user
data packet or that open secondary channels on dynamically assigned ports. These protocols require the
ASA to do a deep packet inspection, to open the required pinholes and to apply network address
translation (NAT).
The default ASA policy already applies inspection globally for many popular protocols, such as DNS,
FTP, SIP, ESMTP, TFTP, and others. The default inspections might be all you require for your network.
However, you might need to enable inspection for other protocols, or fine-tune an inspection. Many
inspections include detailed options that let you control packets based on their contents. If you know a
protocol well, you can apply fine-grained control on that traffic.
You use service policies to configure application inspection. You can configure a global service policy,
or apply a service policy to each interface, or both.
Related Topics
•
•
•
•
•
Use Case: Expose a Server to the Public
You can make certain application services on a server available to the public. For example, you could
expose a web server, so that users can connect to the web pages but not make any other connections to
the server.
To expose a server to the public, you typically need to create access rules that allow the connection and
NAT rules to translate between the server's internal IP address and an external address that the public
can use. In addition, you can use port address translation (PAT) to map an internal port to an external
port, if you do not want the externally exposed service to use the same port as the internal server. For
example, if the internal web server is not running on TCP/80, you can map it to TCP/80 to make
connections easier for external users.
The following example makes a web server on the inside private network available for public access.
Service Policy Using the Modular Policy Framework, page 11-1
Getting Started with Application Layer Protocol Inspection, page 12-1
Inspection of Basic Internet Protocols, page 13-1
Inspection for Voice and Video Protocols, page 14-1
Inspection of Database, Directory, and Management Protocols, page 15-1
Cisco ASA Series Firewall CLI Configuration Guide
Application Inspection
1-5
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
