Detailed Steps
Step 1 To identify the traffic to which you want to apply inspections, add either a Layer 3/4 class map for through traffic or a Layer 3/4 class map for management traffic. See the “Creating a Layer 3/4 Class Map for Through Traffic” section and “Creating a Layer 3/4 Class Map for Management Traffic” section for detailed information. The management Layer 3/4 class map can be used only with the RADIUS accounting inspection.
The default Layer 3/4 class map for through traffic is called “inspection_default.” It matches traffic using a special match command, match default-inspection-traffic, to match the default ports for each application protocol. This traffic class (along with match any, which is not typically used for inspection) matches both IPv4 and IPv6 traffic for inspections that support IPv6. See the “Guidelines and Limitations” section for a list of IPv6-enabled inspections.
You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic to specific IP addresses. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.
Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect all traffic, for example using match any, the ASA performance can be impacted.
If you want to match non-standard ports, then create a new class map for the non-standard ports. See the “Default Settings” section for the standard ports for each inspection engine. You can combine multiple class maps in the same policy if desired, so you can create one class map to match certain traffic, and another to match different traffic. However, if traffic matches a class map that contains an inspection command, and then matches another class map that also has an inspection command, only the first matching class is used. For example, SNMP matches the inspection_default class. To enable SNMP inspection, enable SNMP inspection for the default class in Step 5. Do not add another class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter the following commands:
hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
View the entire class map using the following command:
hostname(config-cmap)# show running-config class-map inspection_default
class-map inspection_default
match default-inspection-traffic
match access-list inspect
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies the ports, and assign it to a new class map:
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056
hostname(config)# class-map new_inspection
hostname(config-cmap)# match access-list ftp_inspect
Step 2 (Optional) Some inspection engines let you control additional parameters when you apply the inspection to the traffic. See the following sections to configure an inspection policy map for your application:
Step 3 To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the following command:
hostname(config)# policy-map name
The default policy map is called “global_policy.” This policy map includes the default inspections listed in the “Default Settings” section. If you want to modify the default policy (for example, to add or delete an inspection, or to identify an additional class map for your actions), then enter global_policy as the name.
Step 4 To identify the class map from Step 1 to which you want to assign an action, enter the following command:
hostname(config-pmap)# class class_map_name
If you are editing the default policy map, it includes the inspection_default class map. You can edit the actions for this class by entering inspection_default as the name. To add an additional class map to this policy map, identify a different name. You can combine multiple class maps in the same policy if desired, so you can create one class map to match certain traffic, and another to match different traffic. However, if traffic matches a class map that contains an inspection command, and then matches another class map that also has an inspection command, only the first matching class is used. For example, SNMP matches the inspection_default class map.To enable SNMP inspection, enable SNMP inspection for the default class in Step 5. Do not add another class that matches SNMP.
Step 5 Enable application inspection by entering the following command:
hostname(config-pmap-c)# inspect protocol
The protocol is one of the following values:
Table 39-2 Protocol Keywords
|
|
ctiqbe |
— |
dcerpc [ map_name ] |
If you added a DCERPC inspection policy map according to “Configuring a DCERPC Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
dns [ map_name ] [ dynamic-filter-snoop ] |
If you added a DNS inspection policy map according to “(Optional) Configuring a DNS Inspection Policy Map and Class Map” section, identify the map name in this command. The default DNS inspection policy map name is “preset_dns_map.” The default inspection policy map sets the maximum DNS packet length to 512 bytes. To enable DNS snooping for the Botnet Traffic Filter, enter the dynamic-filter-snoop keyword. See the “Enabling DNS Snooping” section for more information. |
esmtp [ map_name ] |
If you added an ESMTP inspection policy map according to “Configuring an ESMTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
ftp [ strict [ map_name ]] |
Use the strict keyword to increase the security of protected networks by preventing web browsers from sending embedded commands in FTP requests. See the “Using the strict Option” section for more information. If you added an FTP inspection policy map according to “Configuring an FTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
gtp [ map_name ] |
If you added a GTP inspection policy map according to the “Configuring a GTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
h323 h225 [ map_name ] |
If you added an H323 inspection policy map according to “Configuring an H.323 Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
h323 ras [ map_name ] |
If you added an H323 inspection policy map according to “Configuring an H.323 Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
http [ map_name ] |
If you added an HTTP inspection policy map according to the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
icmp |
— |
icmp error |
— |
ils |
— |
im [ map_name ] |
If you added an Instant Messaging inspection policy map according to “Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
ip-options [ map_name ] |
If you added an IP Options inspection policy map according to “Configuring an IP Options Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
ipsec-pass-thru [ map_name ] |
If you added an IPsec Pass Through inspection policy map according to “IPsec Pass Through Inspection” section, identify the map name in this command. |
ipv6 [ map_name ] |
If you added an IP Options inspection policy map according to “(Optional) Configuring an IPv6 Inspection Policy Map” section, identify the map name in this command. |
mgcp [ map_name ] |
If you added an MGCP inspection policy map according to “Configuring an MGCP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
netbios [ map_name ] |
If you added a NetBIOS inspection policy map according to “Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
pptp |
— |
radius-accounting [ map_name ] |
The radius-accounting keyword is only available for a management class map. See the “Creating a Layer 3/4 Class Map for Management Traffic” section for more information about creating a management class map. If you added a RADIUS accounting inspection policy map according to “Configuring a RADIUS Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
rsh |
— |
rtsp [ map_name ] |
If you added a RTSP inspection policy map according to “Configuring an RTSP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
sip [ map_name ] |
If you added a SIP inspection policy map according to “Configuring a SIP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
skinny [ map_name ] |
If you added a Skinny inspection policy map according to “Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
snmp [ map_name ] |
If you added an SNMP inspection policy map according to “Configuring an SNMP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command. |
sqlnet |
— |
sunrpc |
The default class map includes UDP port 111; if you want to enable Sun RPC inspection for TCP port 111, you need to create a new class map that matches TCP port 111, add the class to the policy, and then apply the inspect sunrpc command to that class. |
tftp |
— |
waas |
— |
xdmcp |
— |
Step 6 To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}
Where global applies the policy map to all interfaces, and interface applies the policy to one interface. By default, the default policy map, “global_policy,” is applied globally. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.