Solved

turning off all inspection --- ASA 5540

Posted on 2008-06-17
3
2,170 Views
Last Modified: 2008-06-18
For troubleshooting purposes, I'd like to make my ASA 5540 7.2 completely wide open, no inspection, no ACL etc.  Allowing everything via ACL is no problem.    But i'm curious about turning off the default packet inspection.   Am I right that a 'no service-policy global_policy global' is all I need?


class-map inspection_default
 match default-inspection-traffic!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect pptp
  inspect sip
  inspect tftp
!
service-policy global_policy global
0
Comment
Question by:stielinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 21809772
Yep, if your intent is to disable all of the inspection services.
0
 

Author Comment

by:stielinc
ID: 21809869
is there anything else I need to do to make the box wide open, essentially makiing it just a router?

Reason I ask is when I view the real time logging via the ASDM, even after removing the service policy, I see alot of messages indicating builds and teardowns of various TCP UDP and ICMP flows.  To me this indicates the box is still doing some kind of 'inspection'.  Is this just defaut behavior for an ASA and not something I'm going to turn off?
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 50 total points
ID: 21809885
>>Is this just defaut behavior for an ASA and not something I'm going to turn off?

Yes, that is correct.  You're not going to be able to make the ASA behave like a true router because it isn't one.  There are just some things that cannot be disabled in the code.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question