Educause Security Discussion mailing list archives

Re: Cisco ASA Firewall Inspect Commands

From: Kevin Halgren <kevin.halgren () WASHBURN EDU>
Date: Wed, 22 Jul 2009 10:56:49 -0500

We've had various problems with the inspect commands over the years.
The ASA has been a better about this than the PIX.  We currently have
inspect enabled on the ASA for esmtp and dns with slightly modified
policy maps.  Contact me off-list and I'll be glad to provide you
details of the settings that have worked for us.

Kevin

--
Kevin Halgren
Assistant Director - Systems and Network Services
Washburn University
(785) 670-2341
kevin.halgren () washburn edu



Dennis Bohn wrote:

Hello,
We are upgrading our firewalls from PIX  to ASA (8.2 code).  Has anyone left the default 'inspect' commands in place?  We are particularly 
concerned around 'inspect esmtp' and 'inspect dns.'  The old fixup smtp did not work for us, we are wondering how the inspect 
esmtp command works (or not).   Did anyone try it and lose email?

Though the HTTP inspect is not default, I am wondering if anyone has found it useful.  Are the regular expressions 
being used to block certain URLs?

Also welcome hearing about any issues with the ASA 8.x code train.

TIA,
dennis


Dennis Bohn
network manager
5168773327

Current thread:

Cisco ASA Firewall Inspect Commands Dennis Bohn (Jul 22)
- <Possible follow-ups>
- Re: Cisco ASA Firewall Inspect Commands Di Fabio, Andrea (Jul 22)
- Re: Cisco ASA Firewall Inspect Commands Consolvo, Corbett D (Jul 22)
- Re: Cisco ASA Firewall Inspect Commands John Sanders (Jul 22)
- Re: Cisco ASA Firewall Inspect Commands Kevin Halgren (Jul 22)