Inspect Policy Overview
Today, many services and applications are run on the Internet. With corporations and small
businesses using the Internet more and more, it is crucial to restrict and control the
applications and services accessed through the Internet. Many applications use static ports,
making inspection by classic firewalls quick and simple. More recently, applications such as
FTP, multimedia, and SQL require dynamic port assignments, which can confuse classic
firewalls to the point of breaking these applications. Security administrators have to decide
if the applications can be allowed to access the network, and if so, they will have to create a
security hole in the firewall for all the dynamic port assignments to work properly. Creating
any hole, permanent or not, in a security system makes it vulnerable to attack and breach.
Cisco has found a way around this issue on the Security Appliance by enabling the inspect
command in policy maps. As of version 7.0, the inspect command replaces the fixup
comment for all inspection features.
The inspect command allows the firewall to inspect bidirectional packets at Layers 3 to 7 on
an interface, and it permits them to transverse the network using dynamic, stateful
adjustments to the security policy. By default, protocol inspection is enabled in the global
policy map and inspects the following protocols:
policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunrpc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp