Filter
Top Products
CHAPTER
10-1
Cisco ASA Series Firewall CLI Configuration Guide
10
Configuring Inspection of Basic Internet
Protocols
This chapter describes how to configure application layer protocol inspection. Inspection engines are
required for services that embed IP addressing information in the user data packet or that open secondary
channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection
instead of passing the packet through the fast path. As a result, inspection engines can affect overall
throughput.
Several common inspection engines are enabled on the ASA by default, but you might need to enable
others depending on your network.
This chapter includes the following sections:
• DNS Inspection, page 10-1
• FTP Inspection, page 10-10
• HTTP Inspection, page 10-15
• ICMP Inspection, page 10-20
• ICMP Error Inspection, page 10-20
• Instant Messaging Inspection, page 10-20
• IP Options Inspection, page 10-23
• IPsec Pass Through Inspection, page 10-25
• IPv6 Inspection, page 10-26
• NetBIOS Inspection, page 10-30
• PPTP Inspection, page 10-32
• SMTP and Extended SMTP Inspection, page 10-32
• TFTP Inspection, page 10-35
DNS Inspection
This section describes DNS application inspection. This section includes the following topics:
• Information About DNS Inspection, page 10-2
• Default Settings for DNS Inspection, page 10-2
• (Optional) Configuring a DNS Inspection Policy Map and Class Map, page 10-3