turning off all inspection --- ASA 5540

For troubleshooting purposes, I'd like to make my ASA 5540 7.2 completely wide open, no inspection, no ACL etc.  Allowing everything via ACL is no problem.    But i'm curious about turning off the default packet inspection.   Am I right that a 'no service-policy global_policy global' is all I need?


class-map inspection_default
 match default-inspection-traffic!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect pptp
  inspect sip
  inspect tftp
!
service-policy global_policy global
stielincAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
Yep, if your intent is to disable all of the inspection services.
0
stielincAuthor Commented:
is there anything else I need to do to make the box wide open, essentially makiing it just a router?

Reason I ask is when I view the real time logging via the ASDM, even after removing the service policy, I see alot of messages indicating builds and teardowns of various TCP UDP and ICMP flows.  To me this indicates the box is still doing some kind of 'inspection'.  Is this just defaut behavior for an ASA and not something I'm going to turn off?
0
batry_boyCommented:
>>Is this just defaut behavior for an ASA and not something I'm going to turn off?

Yes, that is correct.  You're not going to be able to make the ASA behave like a true router because it isn't one.  There are just some things that cannot be disabled in the code.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.