Cisco ASA Series Cli Configuration Manual page 1096
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Information about Application Layer Protocol Inspection
Figure 1-1
Client
In
Figure
1.
2.
3.
4.
5.
6.
7.
The default configuration of the ASA includes a set of application inspection entries that associate
supported protocols with specific TCP or UDP port numbers and that identify any special handling
required.
When to Use Application Protocol Inspection
When a user establishes a connection, the ASA checks the packet against access lists, creates an address
translation, and creates an entry for the session in the fast path, so that further packets can bypass
time-consuming checks. However, the fast path relies on predictable port numbers and does not perform
address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the ASA.
If you use applications like these, then you need to enable application inspection.
Cisco ASA Series CLI Configuration Guide
1-2
How Inspection Engines Work
2
ASA
1
7
3
XLATE
CONN
1-1, operations are numbered in the order they occur, and are described as follows:
A TCP SYN packet arrives at the ASA to establish a new connection.
The ASA checks the access list database to determine if the connection is permitted.
The ASA creates a new entry in the connection database (XLATE and CONN tables).
The ASA checks the Inspections database to determine if the connection requires application-level
inspection.
After the application inspection engine completes any required operations for the packet, the ASA
forwards the packet to the destination system.
The destination system responds to the initial request.
The ASA receives the reply packet, looks up the connection in the connection database, and
forwards the packet because it belongs to an established session.
Chapter 1
Getting Started with Application Layer Protocol Inspection
ACL
6
5
Server
4
Inspection
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
