EasyManuals Logo

Cisco 5510 - ASA SSL / IPsec VPN Edition Configuration Guide

Cisco 5510 - ASA SSL / IPsec VPN Edition
1822 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #780 background imageLoading...
Page #780 background image
36-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 36 Getting Started With Application Layer Protocol Inspection
Information about Application Layer Protocol Inspection
Figure 36-1 How Inspection Engines Work
In Figure 36-1, operations are numbered in the order they occur, and are described as follows:
1. A TCP SYN packet arrives at the adaptive security appliance to establish a new connection.
2. The adaptive security appliance checks the access list database to determine if the connection is
permitted.
3. The adaptive security appliance creates a new entry in the connection database (XLATE and CONN
tables).
4. The adaptive security appliance checks the Inspections database to determine if the connection
requires application-level inspection.
5. After the application inspection engine completes any required operations for the packet, the
adaptive security appliance forwards the packet to the destination system.
6. The destination system responds to the initial request.
7. The adaptive security appliance receives the reply packet, looks up the connection in the connection
database, and forwards the packet because it belongs to an established session.
The default configuration of the adaptive security appliance includes a set of application inspection
entries that associate supported protocols with specific TCP or UDP port numbers and that identify any
special handling required.
When to Use Application Protocol Inspection
When a user establishes a connection, the adaptive security appliance checks the packet against access
lists, creates an address translation, and creates an entry for the session in the fast path, so that further
packets can bypass time-consuming checks. However, the fast path relies on predictable port numbers
and does not perform address translations inside a packet.
Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to
negotiate dynamically assigned port numbers.
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the adaptive security appliance.
132875
1
7
6
5
2
3 4
Client
ACL
XLATE
CONN
Inspection
Server
ASA

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Hardware Installation Guide
Hardware Installation Guide82 pages
Preview: Getting Started Guide
Getting Started Guide208 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals