By default, protocol inspection is enabled on the PIX Security Appliance. In
Figure
in the example,
by default, the PIX is configured to inspect the listed protocols on the
specified TCP or UDP port numbers. For example, the PIX inspects HTTP traffic
on TCP port 80. PIX inspects FTP traffic on TCP port 20. There is more on
modifying port numbers or adding additional inspection port numbers later in
the lesson.
Default Protocol Inspection Policy
By default,
protocol inspection is enabled globally
. The
class map inspection_default identifies a class of traffic matching the TCP/UDP
port numbers delineated under the
default-inspection-traffic parameter. The
asa_global_fw_policy policy map associates which protocol inspections are
performed on the inspection_default class of traffic. Lastly, the
asa_global_fw_policy service policy is applied globally. No intervention is
required by the administrator to enable default inspections on the PIX Security
Appliance. The administrator can choose to modify the default class map, policy
map, or service policy.
Delete Inspection for a Protocol
In the asa_global_fw_policy
policy map, there is a default list of protocols that are inspected by the PIX
Security Appliance. The administrator may choose to disable inspection of
specific protocols by issuing the no form of the
inspect protocol command. In Figure
for example,
CTIQBE and CUSEEME protocol inspection are disabled.
Add a Protocol
Inspection Port Number
The administrator may also choose to enable
protocol inspection on an additional destination port number, such as HTTP
inspection on port TCP port 8080
. Adding protocol
inspection to an additional port number is a two step process. The first step
is to identify traffic using a specific TCP/UDP destination port number in the
class-map command, such as TCP port 8080. Next in a policy
map, the administrator associates a policy with a class of traffic. In the
example in Figure
, HTTP inspection
is applied to traffic with TCP destination port 8080. These commands enable the
PIX Security Appliance to recognize that connections to port 8080 should be
treated in the same manner as connections to HTTP port 80.