For many protocols, protocol inspection is used only as a security technique because the protocol itself only uses a single commonly known port. However, what about those protocols that do not just use common ports; these protocols can be quite interesting to work with when configuring a firewall or Network Address Translation (NAT) device. This is because many of these protocols embed these dynamic port assignments within the user data portion of the traffic or open new secondary channels altogether. In these situations, for the protocol to be able to be used as expected, some amount of packet inspection is required so that the ASA can keep track of which ports are allowed through the firewall because they are attached to a primary data channel that is permitted.
Internet protocol inspection also enables the ASA administrator to control traffic based on a number of different parameters that exist within the Internet traffic, including the information contained within the data portion of the traffic. This article, because of its limited scope, cannot covers all the various possible combinations.
