Configure Advanced Protocol Inspection
Default traffic inspection and port numbers

By default, protocol inspection is enabled on the PIX Security Appliance. In Figure in the example, by default, the PIX is configured to inspect the listed protocols on the specified TCP or UDP port numbers. For example, the PIX inspects HTTP traffic on TCP port 80. PIX inspects FTP traffic on TCP port 20. There is more on modifying port numbers or adding additional inspection port numbers later in the lesson.

Default Protocol Inspection Policy
By default, protocol inspection is enabled globally . The class map inspection_default identifies a class of traffic matching the TCP/UDP port numbers delineated under the default-inspection-traffic parameter. The asa_global_fw_policy policy map associates which protocol inspections are performed on the inspection_default class of traffic. Lastly, the asa_global_fw_policy service policy is applied globally. No intervention is required by the administrator to enable default inspections on the PIX Security Appliance. The administrator can choose to modify the default class map, policy map, or service policy.

Delete Inspection for a Protocol
In the asa_global_fw_policy policy map, there is a default list of protocols that are inspected by the PIX Security Appliance. The administrator may choose to disable inspection of specific protocols by issuing the no form of the inspect protocol command. In Figure for example, CTIQBE and CUSEEME protocol inspection are disabled.

Add a Protocol Inspection Port Number
The administrator may also choose to enable protocol inspection on an additional destination port number, such as HTTP inspection on port TCP port 8080 . Adding protocol inspection to an additional port number is a two step process. The first step is to identify traffic using a specific TCP/UDP destination port number in the class-map command, such as TCP port 8080. Next in a policy map, the administrator associates a policy with a class of traffic. In the example in Figure , HTTP inspection is applied to traffic with TCP destination port 8080. These commands enable the PIX Security Appliance to recognize that connections to port 8080 should be treated in the same manner as connections to HTTP port 80.