CHAPTER
17-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
17
Managing Firewall Inspection Rules
Inspection rules configure protocol inspection on a device. Inspection opens temporary holes in your
access rules to allow return traffic for connections initiated within your trusted network. When traffic is
inspected, the device also implements additional controls to eliminate mal-formed packets based on the
inspected protocols.
The device commands generated for inspection rules vary based on device type. For devices running
ASA, PIX 7.0+, and FWSM 3.x+, access-list, policy-map, and class-map commands are used. For older
FWSM and PIX 6.3 devices, fixup commands are used. For IOS devices, ip-inspect commands are used.
The following topics will help you work with inspection rules:
• Understanding Inspection Rules, page 17-1
–
Choosing the Interfaces for Inspection Rules, page 17-2
–
Selecting Which Protocols To Inspect, page 17-3
–
Understanding Access Rule Requirements for Inspection Rules, page 17-4
–
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4
• Configuring Inspection Rules, page 17-5
• Inspection Rules Page, page 17-7
• Configuring Protocols and Maps for Inspection, page 17-21
• Configuring Settings for Inspection Rules for IOS Devices, page 17-88
The following topics can help you with general rule table usage:
• Adding and Removing Rules, page 12-9
• Editing Rules, page 12-9
• Enabling and Disabling Rules, page 12-20
• Moving Rules and the Importance of Rule Order, page 12-19
Understanding Inspection Rules
Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC
inspects traffic that travels through the device to discover and manage state information for TCP and
UDP sessions. The device uses this state information to create temporary openings to allow return traffic
and additional data connections for permissible sessions.