Cisco Systems ASA 5555-X Network Router User Manual


  Open as PDF
of 2086
 
46-2
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 46 Getting Started with Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
Figure 46-1 How Inspection Engines Work
In Figure 46-1, operations are numbered in the order they occur, and are described as follows:
1. A TCP SYN packet arrives at the ASA to establish a new connection.
2. The ASA checks the access list database to determine if the connection is permitted.
3. The ASA creates a new entry in the connection database (XLATE and CONN tables).
4. The ASA checks the Inspections database to determine if the connection requires application-level
inspection.
5. After the application inspection engine completes any required operations for the packet, the ASA
forwards the packet to the destination system.
6. The destination system responds to the initial request.
7. The ASA receives the reply packet, looks up the connection in the connection database, and
forwards the packet because it belongs to an established session.
The default configuration of the ASA includes a set of application inspection entries that associate
supported protocols with specific TCP or UDP port numbers and that identify any special handling
required.
When to Use Application Protocol Inspection
When a user establishes a connection, the ASA checks the packet against access lists, creates an address
translation, and creates an entry for the session in the fast path, so that further packets can bypass
time-consuming checks. However, the fast path relies on predictable port numbers and does not perform
address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the ASA.
If you use applications like these, then you need to enable application inspection.
132875
1
7
6
5
2
3 4
Client
ACL
XLATE
CONN
Inspection
Server
ASA