Cisco ASA 1000V ASDM Configuration Guide, 6.7
Configuring Inspection of Basic Internet Protocols
Downloads: This chapterpdf (PDF - 467.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Configuring Inspection of Basic Internet Protocols

Table Of Contents

Configuring Inspection of Basic Internet Protocols

DNS Inspection

How DNS Application Inspection Works

How DNS Rewrite Works

Configuring DNS Rewrite

Select DNS Inspect Map

DNS Class Map

Add/Edit DNS Traffic Class Map

Add/Edit DNS Match Criterion

DNS Inspect Map

Add/Edit DNS Policy Map (Security Level)

Add/Edit DNS Policy Map (Details)

FTP Inspection

FTP Inspection Overview

Using Strict FTP

Select FTP Map

FTP Class Map

Add/Edit FTP Traffic Class Map

Add/Edit FTP Match Criterion

FTP Inspect Map

File Type Filtering

Add/Edit FTP Policy Map (Security Level)

Add/Edit FTP Policy Map (Details)

Add/Edit FTP Map

Verifying and Monitoring FTP Inspection

HTTP Inspection

ICMP Inspection

ICMP Error Inspection

Instant Messaging Inspection

IM Inspection Overview

Adding a Class Map for IM Inspection

Select IM Map  

IP Options Inspection

IP Options Inspection Overview

Configuring IP Options Inspection

Select IP Options Inspect Map

IP Options Inspect Map

Add/Edit IP Options Inspect Map

IPsec Pass Through Inspection

IPsec Pass Through Inspection Overview

Select IPsec-Pass-Thru Map

IPsec Pass Through Inspect Map

Add/Edit IPsec Pass Thru Policy Map (Security Level)

Add/Edit IPsec Pass Thru Policy Map (Details)

NetBIOS Inspection

NetBIOS Inspection Overview

Select NETBIOS Map

NetBIOS Inspect Map

Add/Edit NetBIOS Policy Map

PPTP Inspection

SMTP and Extended SMTP Inspection

SMTP and ESMTP Inspection Overview

Select ESMTP Map

ESMTP Inspect Map

MIME File Type Filtering

Add/Edit ESMTP Policy Map (Security Level)

Add/Edit ESMTP Policy Map (Details)

Add/Edit ESMTP Inspect

TFTP Inspection


Configuring Inspection of Basic Internet Protocols


This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA 1000V to do packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.

Several common inspection engines are enabled on the ASA 1000V by default, but you might need to enable others depending on your network.

This chapter includes the following sections:

DNS Inspection

FTP Inspection

HTTP Inspection

ICMP Inspection

ICMP Error Inspection

Instant Messaging Inspection

IP Options Inspection

IPsec Pass Through Inspection

NetBIOS Inspection

PPTP Inspection

SMTP and Extended SMTP Inspection

TFTP Inspection

DNS Inspection

This section describes DNS application inspection. This section includes the following topics:

How DNS Application Inspection Works

How DNS Rewrite Works

Configuring DNS Rewrite

Select DNS Inspect Map

DNS Class Map

Add/Edit DNS Traffic Class Map

Add/Edit DNS Match Criterion

DNS Inspect Map

Add/Edit DNS Policy Map (Security Level)

Add/Edit DNS Policy Map (Details)

How DNS Application Inspection Works

The ASA 1000V tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA 1000V. The ASA 1000V also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

When DNS inspection is enabled, which is the default, the ASA 1000V performs the following additional tasks:

Translates the DNS record based on the configuration completed using the alias, static and nat commands (DNS Rewrite). Translation only applies to the A-record in the DNS reply; therefore, DNS Rewrite does not affect reverse lookups, which request the PTR record.


Note DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record and the PAT rule to use is ambiguous.


Enforces the maximum DNS message length (the default is 512 bytes and the maximum length is 65535 bytes). The ASA 1000V performs reassembly as needed to verify that the packet length is less than the maximum length configured. The ASA 1000V drops the packet if it exceeds the maximum length.


Note If you enter the inspect dns command without the maximum-length option, DNS packet size is not checked.


Enforces a domain-name length of 255 bytes and a label length of 63 bytes.

Verifies the integrity of the domain-name referred to by the pointer if compression pointers are encountered in the DNS message.

Checks to see if a compression pointer loop exists.

A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the ASA 1000V within a limited period of time and there is no resource build-up. However, if you enter the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.

How DNS Rewrite Works

When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages originating from any interface.

If a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the A-record is not translated.

As long as DNS inspection remains enabled, you can configure DNS rewrite using a NAT rule.

DNS Rewrite performs two functions:

Translating a public address (the routable or "mapped" address) in a DNS reply to a private address (the "real" address) when the DNS client is on a private interface.

Translating a private address to a public address when the DNS client is on the public interface.

In Figure 23-1, the DNS server resides on the external (ISP) network The real address of the server (192.168.100.1) has been mapped using the static command to the ISP-assigned address (209.165.200.5). When a web client on the security profile interface attempts to access the web server with the URL http://server.example.com, the host running the web client sends a DNS request to the DNS server to resolve the IP address of the web server. The ASA 1000V translates the non-routable source address in the IP header and forwards the request to the ISP network on its outside interface. When the DNS reply is returned, the ASA 1000V applies address translation not only to the destination address, but also to the embedded IP address of the web server, which is contained in the A-record in the DNS reply. As a result, the web client on the inside network gets the correct address for connecting to the web server on the inside network.

Figure 23-1 Translating the Address in a DNS Reply (DNS Rewrite)

DNS rewrite also works if the client making the DNS request is on a DMZ network and the DNS server is on a security profile interface.

Configuring DNS Rewrite

You configure DNS rewrite using the NAT configuration.

 
   

Figure 23-2 provides a more complex scenario to illustrate how DNS inspection allows NAT to operate transparently with a DNS server with minimal configuration.

Figure 23-2 DNS Rewrite with Three NAT Zones

In Figure 23-2, a web server, server.example.com, has the real address 192.168.100.10 on the DMZ interface of the ASA 1000V. A web client with the IP address 10.10.10.25 is on the security profile interface and a public DNS server is on the outside interface. The site NAT policies are as follows:

The outside DNS server holds the authoritative address record for server.example.com.

Hosts on the outside network can contact the web server with the domain name server.example.com through the outside DNS server or with the IP address 209.165.200.5.

Clients on the inside network can access the web server with the domain name server.example.com through the outside DNS server or with the IP address 192.168.100.10.

When a host or client on any interface accesses the DMZ web server, it queries the public DNS server for the A-record of server.example.com. The DNS server returns the A-record showing that server.example.com binds to address 209.165.200.5.

When a web client on the outside network attempts to access http://server.example.com, the sequence of events is as follows:

1. The host running the web client sends the DNS server a request for the IP address of server.example.com.

2. The DNS server responds with the IP address 209.165.200.225 in the reply.

3. The web client sends its HTTP request to 209.165.200.225.

4. The packet from the outside host reaches the ASA 1000V at the outside interface.

5. The static rule translates the address 209.165.200.225 to 192.168.100.10 and the ASA 1000V directs the packet to the web server on the DMZ.

When a web client on the inside network attempts to access http://server.example.com, the sequence of events is as follows:

1. The host running the web client sends the DNS server a request for the IP address of server.example.com.

2. The DNS server responds with the IP address 209.165.200.225 in the reply.

3. The ASA 1000V receives the DNS reply and submits it to the DNS application inspection engine.

4. The DNS application inspection engine does the following:

a. Searches for any NAT rule to undo the translation of the embedded A-record address "[outside]:209.165.200.5". In this example, it finds the following static configuration:

object network obj-192.168.100.10-01
  host 192.168.100.10
  nat (dmz,outside) static 209.165.200.5 dns
 
   

b. Uses the static rule to rewrite the A-record as follows because the dns option is included:

[outside]:209.165.200.225 --> [dmz]:192.168.100.10
 
   

Note If the dns option were not included with the nat command, DNS Rewrite would not be performed and other processing for the packet continues.


c. Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when communicating with the inside web client.

No NAT rule is applicable, so application inspection completes.

If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns option were not specified, the A-record rewrite in step b would be reverted and other processing for the packet continues.

5. The ASA 1000V sends the HTTP request to server.example.com on the DMZ interface.

Select DNS Inspect Map

The Select DNS Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select DNS Inspect Map

The Select DNS Map dialog box lets you select or create a new DNS map. A DNS map lets you change the configuration values used for DNS application inspection. The Select DNS Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Use the default DNS inspection map—Specifies to use the default DNS map.

Select a DNS map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Enable Botnet traffic filter DNS snooping— Enables Botnet Traffic Filter snooping, which compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address. We suggest that you enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the ASA 1000V. For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface.

Add—Opens the Add Policy Map dialog box for the inspection.

DNS Class Map

The DNS Class Map dialog box is accessible as follows:

Configuration > Global Objects > Class Maps > DNS

The DNS Class Map pane lets you configure DNS class maps for DNS inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the DNS class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the DNS class map.

Value—Shows the value to match in the DNS class map.

Description—Shows the description of the class map.

Add—Adds match conditions for the DNS class map.

Edit—Edits match conditions for the DNS class map.

Delete—Deletes match conditions for the DNS class map.

Add/Edit DNS Traffic Class Map

The Add/Edit DNS Traffic Class Map dialog box is accessible as follows:

Configuration > Global Objects > Class Maps > DNS > Add/Edit DNS Traffic Class Map

The Add/Edit DNS Traffic Class Map dialog box lets you define a DNS class map.

Fields

Name—Enter the name of the DNS class map, up to 40 characters in length.

Description—Enter the description of the DNS class map.

Add—Adds a DNS class map.

Edit—Edits a DNS class map.

Delete—Deletes a DNS class map.

Add/Edit DNS Match Criterion

The Add/Edit DNS Match Criterion dialog box is accessible as follows:

Configuration > Global Objects > Class Maps > DNS > Add/Edit DNS Traffic Class Map > Add/Edit DNS Match Criterion

The Add/Edit DNS Match Criterion dialog box lets you define the match criterion and value for the DNS class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of DNS traffic to match.

Header Flag—Match a DNS flag in the header.

Type—Match a DNS query or resource record type.

Class—Match a DNS query or resource record class.

Question—Match a DNS question.

Resource Record—Match a DNS resource record.

Domain Name—Match a domain name from a DNS query or resource record.

Header Flag Criterion Values—Specifies the value details for the DNS header flag match.

Match Option—Specifies either an exact match or match all bits (bit mask match).

Match Value—Specifies to match either the header flag name or the header flag value.

Header Flag Name—Lets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits.

Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match.

Type Criterion Values—Specifies the value details for the DNS type match.

DNS Type Field Name—Lists the DNS types to select.

A—IPv4 address

NS—Authoritative name server

CNAME—Canonical name

SOA—Start of a zone of authority

TSIG—Transaction signature

IXFR—Incremental (zone) transfer

AXFR—Full (zone) transfer

DNS Type Field Value—Specifies to match either a DNS type field value or a DNS type field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

Class Criterion Values—Specifies the value details for the DNS class match.

DNS Class Field Name—Specifies to match on internet, the DNS class field name.

DNS Class Field Value—Specifies to match either a DNS class field value or a DNS class field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

Question Criterion Values—Specifies to match on the DNS question section.

Resource Record Criterion Values—Specifies to match on the DNS resource record section.

Resource Record— Lists the sections to match.

Additional—DNS additional resource record

Answer—DNS answer resource record

Authority—DNS authority resource record

Domain Name Criterion Values—Specifies to match on the DNS domain name.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

DNS Inspect Map

The DNS Inspect Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > DNS

The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets you change the default configuration values used for DNS application inspection.

DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped, and/or logged, while others are blocked. Zone transfer can be restricted between servers with this function, for example.

The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can be queried also restricts the domain names which can be queried, which protects the public server further.

A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable check to enforce a Transaction Signature be attached to all DNS messages is also supported.

Fields

DNS Inspect Maps—Table that lists the defined DNS inspect maps.

Add—Configures a new DNS inspect map. To edit a DNS inspect map, choose the DNS entry in the DNS Inspect Maps table and click Customize.

Delete—Deletes the inspect map selected in the DNS Inspect Maps table.

Security Level—Select the security level (high, medium, or low).

Low—Default.

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: disabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: disabled

TSIG resource record: not enforced

Medium

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: not enforced

High

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: enforced

Customize—Opens the Add/Edit DNS Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

Add/Edit DNS Policy Map (Security Level)

The Add/Edit DNS Policy Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > DNS > DNS Inspect Map > Basic View

The Add/Edit DNS Policy Map pane lets you configure the security level and additional settings for DNS application inspection maps.

Fields

Name—When adding a DNS map, enter the name of the DNS map. When editing a DNS map, the name of the previously configured DNS map is shown.

Description—Enter the description of the DNS map, up to 200 characters in length.

Security Level—Select the security level (high, medium, or low).

Low—Default.

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: disabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: disabled

TSIG resource record: not enforced

Medium

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: not enforced

High

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: enforced

Default Level—Sets the security level back to the default level of Low.

Details—Shows the Protocol Conformance, Filtering, Mismatch Rate, and Inspection tabs to configure additional settings.

Add/Edit DNS Policy Map (Details)

The Add/Edit DNS Policy Map pane lets you configure the security level and additional settings for DNS application inspection maps

Fields

Name—When adding a DNS map, enter the name of the DNS map. When editing a DNS map, the name of the previously configured DNS map is shown.

Description—Enter the description of the DNS map, up to 200 characters in length.

Security Level—Shows the security level to configure.

Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.

Enable DNS guard function—Performs a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the ASA 1000V.

Enable NAT re-write function—Enables IP address translation in the A record of the DNS response.

Enable protocol enforcement—Enables DNS message format check, including domain name, label length, compression, and looped pointer check.

Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS query message.

Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced:

Drop packet—Drops the packet (logging can be either enabled or disabled).

Log—Enables logging.

Filtering—Tab that lets you configure the filtering settings for DNS.

Global Settings—Applies settings globally.

Drop packets that exceed specified maximum length (global)—Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Server Settings—Applies settings on the server only.

Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Drop packets sent to server that exceed length indicated by the RR—Drops packets sent to the server that exceed the length indicated by the Resource Record.

Client Settings—Applies settings on the client only.

Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Drop packets sent to client that exceed length indicated by the RR—Drops packets sent to the client that exceed the length indicated by the Resource Record.

Mismatch Rate—Tab that lets you configure the ID mismatch rate for DNS.

Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive instances of DNS identifier mismatches.

Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a system message log is sent.

Time Interval—Enter the time period to monitor (in seconds).

Inspections—Tab that shows you the DNS inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the DNS inspection.

Value—Shows the value to match in the DNS inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add DNS Inspect dialog box to add a DNS inspection.

Edit—Opens the Edit DNS Inspect dialog box to edit a DNS inspection.

Delete—Deletes a DNS inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

FTP Inspection

This section describes the FTP inspection engine. This section includes the following topics:

FTP Inspection Overview

Using Strict FTP

Select FTP Map

FTP Class Map

Add/Edit FTP Traffic Class Map

Add/Edit FTP Match Criterion

FTP Inspect Map

FTP Inspection Overview

The FTP application inspection inspects the FTP sessions and performs four tasks:

Prepares dynamic secondary data connection

Tracks the FTP command-response sequence

Generates an audit trail

Translates the embedded IP address

FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels are negotiated through PORT or PASV commands. The channels are allocated in response to a file upload, a file download, or a directory listing event.


Note If you disable FTP inspection engines with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.


Using Strict FTP

Using strict FTP increases the security of protected networks by preventing web browsers from sending embedded commands in FTP requests. To enable strict FTP, click the Configure button next to FTP on the Configuration > Firewall > Service Policy Rules > Edit Service Policy Rule > Rule Actions > Protocol Inspection tab.

After you enable the strict option on an interface, FTP inspection enforces the following behavior:

An FTP command must be acknowledged before the ASA 1000V allows a new command.

The ASA 1000V drops connections that send embedded commands.

The 227 and PORT commands are checked to ensure they do not appear in an error string.


Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs.

If the strict option is enabled, each FTP command and response sequence is tracked for the following anomalous activity:

Truncated command—Number of commas in the PORT and PASV reply command is checked to see if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP connection is closed.

Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as required by the RFC. If it does not, the connection is closed.

Size of RETR and STOR commands—These are checked against a fixed constant. If the size is greater, then an error message is logged and the connection is closed.

Command spoofing—The PORT command should always be sent from the client. The TCP connection is denied if a PORT command is sent from the server.

Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP connection is denied if a PASV reply command is sent from the client. This prevents the security hole when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."

TCP stream editing—The ASA 1000V closes the connection if it detects TCP stream editing.

Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024. As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the negotiated port falls in this range, then the TCP connection is freed.

Command pipelining—The number of characters present after the port numbers in the PORT and PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP connection is closed.

The ASA 1000V replaces the FTP server response to the SYST command with a series of Xs. to prevent the server from revealing its system type to FTP clients. To override this default behavior, use the no mask-syst-reply command in the FTP map.

Select FTP Map

The Select FTP Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select FTP Map

The Select FTP Map dialog box lets you enable strict FTP application inspection, select an FTP map, or create a new FTP map. An FTP map lets you change the configuration values used for FTP application inspection.The Select FTP Map table provides a list of previously configured maps that you can select for application inspection.

Fields

FTP Strict (prevent web browsers from sending embedded commands in FTP requests)Enables strict FTP application inspection, which causes the ASA 1000V to drop the connection when an embedded command is included in an FTP request.

Use the default FTP inspection map—Specifies to use the default FTP map.

Select an FTP map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add Policy Map dialog box for the inspection.

FTP Class Map

The FTP Class Map dialog box is accessible as follows:

Configuration > Global Objects > Class Maps > FTP

The FTP Class Map pane lets you configure FTP class maps for FTP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the FTP class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the FTP class map.

Value—Shows the value to match in the FTP class map.

Description—Shows the description of the class map.

Add—Adds an FTP class map.

Edit—Edits an FTP class map.

Delete—Deletes an FTP class map.

Add/Edit FTP Traffic Class Map

The Add/Edit FTP Traffic Class Map dialog box is accessible as follows:

Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map

The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.

Fields

Name—Enter the name of the FTP class map, up to 40 characters in length.

Description—Enter the description of the FTP class map.

Add—Adds an FTP class map.

Edit—Edits an FTP class map.

Delete—Deletes an FTP class map.

Add/Edit FTP Match Criterion

The Add/Edit FTP Match Criterion dialog box is accessible as follows:

Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > Add/Edit FTP Match Criterion

The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of FTP traffic to match.

Request-Command—Match an FTP request command.

File Name—Match a filename for FTP transfer.

File Type—Match a file type for FTP transfer.

Server—Match an FTP server.

User Name—Match an FTP user.

Request-Command Criterion Values—Specifies the value details for the FTP request command match.

Request Command—Lets you select one or more request commands to match.

APPE—Append to a file.

CDUP—Change to the parent of the current directory.

DELE—Delete a file at the server site.

GET—FTP client command for the retr (retrieve a file) command.

HELP—Help information from the server.

MKD—Create a directory.

PUT—FTP client command for the stor (store a file) command.

RMD—Remove a directory.

RNFR—Rename from.

RNTO—Rename to.

SITE—Specify a server specific command.

STOU—Store a file with a unique name.

File Name Criterion Values—Specifies to match on the FTP transfer filename.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

File Type Criterion Values—Specifies to match on the FTP transfer file type.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Server Criterion Values—Specifies to match on the FTP server.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

User Name Criterion Values—Specifies to match on the FTP user.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

FTP Inspect Map

The FTP Inspect Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > FTP

The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection.

FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation.

Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.

Fields

FTP Inspect Maps—Table that lists the defined FTP inspect maps.

Add—Configures a new FTP inspect map. To edit an FTP inspect map, choose the FTP entry in the FTP Inspect Maps table and click Customize.

Delete—Deletes the inspect map selected in the FTP Inspect Maps table.

Security Level—Select the security level (medium or low).

Low

Mask Banner Disabled

Mask Reply Disabled

Medium—Default.

Mask Banner Enabled

Mask Reply Enabled

File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.

Customize—Opens the Add/Edit FTP Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

File Type Filtering

The File Type Filtering dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > FTP > MIME File Type Filtering

The File Type Filtering dialog box lets you configure the settings for a file type filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add File Type Filter dialog box to add a file type filter.

Edit—Opens the Edit File Type Filter dialog box to edit a file type filter.

Delete—Deletes a file type filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Add/Edit FTP Policy Map (Security Level)

The Add/Edit FTP Policy Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Basic View

The Add/Edit FTP Policy Map pane lets you configure the security level and additional settings for FTP application inspection maps.

Fields

Name—When adding an FTP map, enter the name of the FTP map. When editing an FTP map, the name of the previously configured FTP map is shown.

Description—Enter the description of the FTP map, up to 200 characters in length.

Security Level—Select the security level (medium or low).

Low

Mask Banner Disabled

Mask Reply Disabled

Medium—Default.

Mask Banner Enabled

Mask Reply Enabled

File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.

Default Level—Sets the security level back to the default level of Medium.

Details—Shows the Parameters and Inspections tabs to configure additional settings.

Add/Edit FTP Policy Map (Details)

The Add/Edit FTP Policy Map (Details) dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Advanced View

The Add/Edit FTP Policy Map pane lets you configure the security level and additional settings for FTP application inspection maps.

Fields

Name—When adding an FTP map, enter the name of the FTP map. When editing an FTP map, the name of the previously configured FTP map is shown.

Description—Enter the description of the FTP map, up to 200 characters in length.

Security Level—Shows the security level and file type filtering settings to configure.

Parameters—Tab that lets you configure the parameters for the FTP inspect map.

Mask greeting banner from the server—Masks the greeting banner from the FTP server to prevent the client from discovering server information.

Mask reply to SYST command—Masks the reply to the syst command to prevent the client from discovering server information.

Inspections—Tab that shows you the FTP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the FTP inspection.

Value—Shows the value to match in the FTP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add FTP Inspect dialog box to add an FTP inspection.

Edit—Opens the Edit FTP Inspect dialog box to edit an FTP inspection.

Delete—Deletes an FTP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Add/Edit FTP Map

The Add/Edit FTP Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Advanced View  > Add/Edit FTP Inspect

The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect map.

Fields

Single Match—Specifies that the FTP inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of FTP traffic to match.

Request Command—Match an FTP request command.

File Name—Match a filename for FTP transfer.

File Type—Match a file type for FTP transfer.

Server—Match an FTP server.

User Name—Match an FTP user.

Request Command Criterion Values—Specifies the value details for FTP request command match.

Request Command:

APPE—Command that appends to a file.

CDUP—Command that changes to the parent directory of the current working directory.

DELE—Command that deletes a file.

GET—Command that gets a file.

HELP—Command that provides help information.

MKD—Command that creates a directory.

PUT—Command that sends a file.

RMD—Command that deletes a directory.

RNFR—Command that specifies rename-from filename.

RNTO—Command that specifies rename-to filename.

SITE—Commands that are specific to the server system. Usually used for remote administration.

STOU—Command that stores a file using a unique filename.

File Name Criterion Values—Specifies the value details for FTP filename match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

File Type Criterion Values—Specifies the value details for FTP file type match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Server Criterion Values—Specifies the value details for FTP server match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

User Name Criterion Values—Specifies the value details for FTP user name match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple Matches—Specifies multiple matches for the FTP inspection.

FTP Traffic Class—Specifies the FTP traffic class match.

Manage—Opens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class Maps.

Action—Reset.

Log—Enable or disable.

Verifying and Monitoring FTP Inspection

FTP application inspection generates the following log messages:

An Audit record 303002 is generated for each file that is retrieved or uploaded.

The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands are logged.

The username is obtained by looking up a table providing the IP address.

The username, source IP address, destination IP address, NAT address, and the file operation are logged.

Audit record 201005 is generated if the secondary dynamic channel preparation failed due to memory shortage.

In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.

HTTP Inspection

The HTTP inspection engine enables the system message 304001 when an inside user issues an HTTP GET request:

%ASA-5-304001: user source_address Accessed [JAVA] URL dest_address: url.

ICMP Inspection

The ICMP inspection engine allows ICMP traffic to have a "session" so it can be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the ASA 1000V in an access list. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.

ICMP Error Inspection

When this feature is enabled, the ASA 1000V creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The ASA 1000V overwrites the packet with the translated IP addresses.

When disabled, the ASA 1000V does not create translation sessions for intermediate nodes that generate ICMP error messages. ICMP error messages generated by the intermediate nodes between the inside host and the ASA 1000V reach the outside host without consuming any additional NAT resource. This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the ASA 1000V. When the ASA 1000V does not translate the intermediate hops, all the intermediate hops appear with the mapped destination IP address.

The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved five-tuple, a lookup is performed to determine the original address of the client. The ICMP error inspection engine makes the following changes to the ICMP packet:

In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum is modified.

In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet.

In the Payload, the following changes are made:

Original packet mapped IP is changed to the real IP

Original packet mapped port is changed to the real Port

Original packet IP checksum is recalculated

Instant Messaging Inspection

This section describes the IM inspection engine. This section includes the following topics:

IM Inspection Overview

Select IM Map

IM Inspection Overview

The IM inspect engine lets you apply fine grained controls on the IM application to control the network usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate network.

Adding a Class Map for IM Inspection

Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection.

This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service Policy Rule Wizard - Rule Actions dialog box.


Step 1 Choose Configuration > Firewall > Objects > Class Maps > Instant Messaging (IM). The table displaying the configured class maps for Instant Messaging Inspection appears.

Step 2 To add a new class map, click Add. The Add Instant Messaging (IM) Traffic Class Map dialog box appears.

Step 3 Enter a name for the class map.

Step 4 (Optional) Enter a description for the class map. The description can contain up to 200 characters.

Step 5 In the Match Option field, click an option for the class map:

Match All—Specifies that traffic must match all criteria to match the class map. By default, the Match All option is selected.

Match Any—Specifies that the traffic matches the class map if it matches at least one of the criteria.

Step 6 Click Add to add a match criteria for the class map. The Add Instant Messaging (IM) Match Criterion dialog box appears.

Step 7 In the Match Type field, click the Match or No Match radio button.

Step 8 In the Criterion drop-down list, select one of the following options and specify the criteria value. Depending on which option you select, the Value fields dynamically refresh to display the appropriate values for that criteria.

Protocol—Select to match traffic of a specific IM protocol, such as Yahoo Messenger or MSN Messenger.

Service—Select to match a specific IM service, such as chat, file-transfer, webcam, voice-chat, conference, or games.

Version—Select to match the version of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list.

See Configuring Regular Expressions.

Client Login Name—Select to match the source login name of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list.

See Configuring Regular Expressions.

Client Peer Login Name—Select to match the destination login name of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list.

See Configuring Regular Expressions.

Source IP Address—Select to match the source IP address of the IM message. In the Value fields, enter the IP address and netmask of the message source.

Destination IP Address—Select to match the destination IP address of the IM message. In the Value fields, enter the IP address and netmask of the message destination.

Filename—Select to match the filename of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list.

See Configuring Regular Expressions.

Step 9 Click OK to save the criteria. The Add Instant Messaging (IM) Match Criterion dialog box closes and the criteria appears in the Match Criterion table.

Step 10 Click OK to save the class map.


Select IM Map  

The Select IM Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map

The Select IM Map dialog box lets you select or create a new IM map. An IM map lets you change the configuration values used for IM application inspection. The Select IM Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Add—Opens the Add Policy Map dialog box for the inspection.

IP Options Inspection

This section describes the IP Options inspection engine. This section includes the following topics:

IP Options Inspection Overview

Configuring IP Options Inspection

Select IP Options Inspect Map

IP Options Inspect Map

Add/Edit IP Options Inspect Map

IP Options Inspection Overview

Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for most common communications. In particular, IP Options include provisions for time stamps, security, and special routing. Use of IP Options is optional, and the field can contain zero, one, or more options.

You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA 1000V. Configuring this inspection instructs the ASA 1000V to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.

IP Options inspection can check for the following three IP options in a packet:

End of Options List (EOOL) or IP Option 0—This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.

No Operation (NOP) or IP Option 1—The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as "internal padding" to align the options on a 32-bit boundary.

Router Alert (RTRALT) or IP Option 20—This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path.


Note IP Options inspection is included by default in the global inspection policy. Therefore, the ASA 1000V allows RSVP traffic that contains packets with the Router Alert option (option 20).


Dropping RSVP packets containing the Router Alert option can cause problems in VoIP implementations.

When you configure the ASA 1000V to clear the Router Alert option from IP headers, the IP header changes in the following ways:

The Options field is padded so that the field ends on a 32 bit boundary.

Internet header length (IHL) changes.

The total length of the packet changes.

The checksum is recomputed.

If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether the ASA 1000V is configured to allow these options, the ASA 1000V will drop the packet.

Configuring IP Options Inspection

Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection.

This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service Policy Rule Wizard - Rule Actions dialog box.


Step 1 Open the Add Service Policy Rule Wizard by selecting Configuration > Firewall > Service Policy Rules > Add.

Perform the steps to complete the Service Policy, Traffic Classification Criteria, and Traffic Match - Destination Port pages of the wizard. See the "Adding a Service Policy Rule for Through Traffic" section.

The Add Service Policy Rule Wizard - Rule Actions dialog box opens.

Step 2 Check the IP-Options check box.

Step 3 Click Configure.

The Select IP Options Inspect Map dialog box opens.

Step 4 Perform one of the following:

Click the Use the default IP-Options inspection map radio button to use the default IP Options map. The default map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No Operation (NOP), and Router Alert (RTRALT).

Click the Select an IP-Options inspect map for fine control over inspection radio button to select a defined application inspection map.

Click Add to open the Add IP-Options Inspect Map dialog box and create a new inspection map.

Step 5 (Optional) If you clicked Add to create a new inspection map, define the following values for IP Options Inspection:

a. Enter a name for the inspection map.

b. Enter a description for the inspection map, up to 200 characters long.

c. From the Parameters area, select which IP options you want to pass through the ASA 1000V or clear and then pass through the ASA 1000V:

Allow packets with the End of Options List (EOOL) option

This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.

Allow packets with the No Operation (NOP) option

The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as "internal padding" to align the options on a 32-bit boundary.

Allow packets with the Router Alert (RTRALT) option

This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path.

Clear the option value from the packets

When an option is checked, the Clear the option value from the packets check box becomes available for that option. Select the Clear the option value from the packets check box to clear the option from the packet before allowing the packet through the ASA 1000V.

d. Click OK.

Step 6 Click OK.

Step 7 Click Finish.


Select IP Options Inspect Map

The Select IP Options Inspect Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map

The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map. Use this inspection map to control whether the ASA 1000V drops, passes, or clears IP packets containing the following IP options—End of Options List, No Operations, and Router Alert.

Fields

Use the default IP-Options inspection map—Specifies to use the default IP Options map. The default map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No Operation (NOP), and Router Alert (RTRALT).

Select an IP-Options map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add IP Options Inspect Map dialog box for the inspection.

IP Options Inspect Map

The IP Options Inspect Maps pane lets you view previously configured IP Options inspection maps. An IP Options inspection map lets you change the default configuration values used for IP Option inspection.

You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA 1000V. Configuring this inspection instructs the ASA 1000V to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.

In particular, you can control whether the ASA 1000V drops, clears, or passes packets containing the Router Alert (RTRALT) option. Dropping RSVP packets containing the Router Alert option can cause problems in VoIP implementations. Therefore, you can create IP Options inspection maps to pass packets containing the RTRALT option.

Fields

IP Options Inspect Maps—Table that lists the defined IP Options inspect maps.

Add—Configures a new IP Options inspect map.

Edit—Edits an existing IP Options inspect map. To edit an IP Options inspect map, choose the entry in the table and click Edit.

Delete—Deletes the inspect map selected in the IP Options Inspect Maps table.

Add/Edit IP Options Inspect Map

The Add/Edit IP Options Inspect Map lets you configure the settings for IP Options inspection maps.

Fields

Name—When adding an IP Options inspection map, enter the name of the map. When editing a map, the name of the previously configured map is shown.

Description—Enter the description of the IP Options inspection map, up to 200 characters in length.

Parameters—Select which IP options you want to pass through the ASA 1000V or clear and then pass through the ASA 1000V:

Allow packets with the End of Options List (EOOL) option

This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.

Allow packets with the No Operation (NOP) option

The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as "internal padding" to align the options on a 32-bit boundary.

Allow packets with the Router Alert (RTRALT) option

This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path.

Clear the option value from the packets

When an option is checked, the Clear the option value from the packets check box becomes available for that option. Select the Clear the option value from the packets check box to clear the option from the packet before allowing the packet through the ASA 1000V.

IPsec Pass Through Inspection

This section describes the IPsec Pass Through inspection engine. This section includes the following topics:

IPsec Pass Through Inspection Overview

Select IPsec-Pass-Thru Map

IPsec Pass Through Inspect Map

Add/Edit IPsec Pass Thru Policy Map (Security Level)

Add/Edit IPsec Pass Thru Policy Map (Details)

IPsec Pass Through Inspection Overview

Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example, computer users or servers), between a pair of security gateways (such as routers or firewalls), or between a security gateway and a host.

IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy access list configuration to permit ESP and AH traffic and also provides security using timeout and max connections.

Specify IPsec Pass Through inspection parameters to identify a specific map to use for defining the parameters for the inspection. Configure a policy map for Specify IPsec Pass Through inspection to access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You can set the per client max connections and the idle timeout in parameters configuration.

NAT and non-NAT traffic is permitted. However, PAT is not supported.

Select IPsec-Pass-Thru Map

The Select IPsec-Pass-Thru Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IPsec-Pass-Thru Map

The Select IPsec-Pass-Thru dialog box lets you select or create a new IPsec map. An IPsec map lets you change the configuration values used for IPsec application inspection. The Select IPsec Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Use the default IPsec inspection map—Specifies to use the default IPsec map.

Select an IPsec map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add Policy Map dialog box for the inspection.

IPsec Pass Through Inspect Map

The IPsec Pass Through Inspect Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > IPsec Pass Through

The IPsec Pass Through pane lets you view previously configured IPsec Pass Through application inspection maps. An IPsec Pass Through map lets you change the default configuration values used for IPsec Pass Through application inspection. You can use an IPsec Pass Through map to permit certain flows without using an access list.

Fields

IPsec Pass Through Inspect Maps—Table that lists the defined IPsec Pass Through inspect maps.

Add—Configures a new IPsec Pass Through inspect map. To edit an IPsec Pass Through inspect map, select the IPsec Pass Through entry in the IPsec Pass Through Inspect Maps table and click Customize.

Delete—Deletes the inspect map selected in the IPsec Pass Through Inspect Maps table.

Security Level—Select the security level (high or low).

Low—Default.

Maximum ESP flows per client: Unlimited.

ESP idle timeout: 00:10:00.

Maximum AH flows per client: Unlimited.

AH idle timeout: 00:10:00.

High

Maximum ESP flows per client:10.

ESP idle timeout: 00:00:30.

Maximum AH flows per client: 10.

AH idle timeout: 00:00:30.

Customize—Opens the Add/Edit IPsec Pass Thru Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

Add/Edit IPsec Pass Thru Policy Map (Security Level)

The Add/Edit IPsec Pass Thru Policy Map (Security Level) dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > IPsec Pass Through> IPsec Pass Through Inspect Map > Basic View

The Add/Edit IPsec Pass Thru Policy Map pane lets you configure the security level and additional settings for IPsec Pass Thru application inspection maps.

Fields

Name—When adding an IPsec Pass Thru map, enter the name of the IPsec Pass Thru map. When editing an IPsec Pass Thru map, the name of the previously configured IPsec Pass Thru map is shown.

Security Level—Select the security level (high or low).

Low—Default.

Maximum ESP flows per client: Unlimited.

ESP idle timeout: 00:10:00.

Maximum AH flows per client: Unlimited.

AH idle timeout: 00:10:00.

High

Maximum ESP flows per client:10.

ESP idle timeout: 00:00:30.

Maximum AH flows per client: 10.

AH idle timeout: 00:00:30.

Default Level—Sets the security level back to the default level of Low.

Details—Shows additional parameter settings to configure.

Add/Edit IPsec Pass Thru Policy Map (Details)

The Add/Edit IPsec Pass Thru Policy Map (Details) dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps >IPsec Pass Through > IPsec Pass Through Inspect Map > Advanced View

The Add/Edit IPsec Pass Thru Policy Map pane lets you configure the security level and additional settings for IPsec Pass Thru application inspection maps.

Fields

Name—When adding an IPsec Pass Thru map, enter the name of the IPsec Pass Thru map. When editing an IPsec Pass Thru map, the name of the previously configured IPsec Pass Thru map is shown.

Description—Enter the description of the IPsec Pass Through map, up to 200 characters in length.

Security Level—Shows the security level settings to configure.

Parameters—Configures ESP and AH parameter settings.

Limit ESP flows per client—Limits ESP flows per client.

Maximum—Specify maximum limit.

Apply ESP idle timeout—Applies ESP idle timeout.

Timeout—Specify timeout.

Limit AH flows per client—Limits AH flows per client.

Maximum—Specify maximum limit.

Apply AH idle timeout—Applies AH idle timeout.

Timeout—Specify timeout.

NetBIOS Inspection

This section describes the IM inspection engine. This section includes the following topics:

NetBIOS Inspection Overview

Select NETBIOS Map

"NetBIOS Inspect Map" section

"Add/Edit NetBIOS Policy Map" section

NetBIOS Inspection Overview

NetBIOS inspection is enabled by default. The NetBios inspection engine translates IP addresses in the NetBios name service (NBNS) packets according to the ASA 1000V NAT configuration.

Select NETBIOS Map

The Select NETBIOS Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select NetBIOS Map

The Select NETBIOS Map dialog box lets you select or create a new NetBIOS map. A NetBIOS map lets you change the configuration values used for NetBIOS application inspection. The Select NetBIOS Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Use the default IM inspection map—Specifies to use the default NetBIOS map.

Select a NetBIOS map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add Policy Map dialog box for the inspection.

NetBIOS Inspect Map

The NetBIOS Inspect Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > NetBIOS

The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection.

NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets. It also enforces protocol conformance, checking the various count and length fields for consistency.

Fields

NetBIOS Inspect Maps—Table that lists the defined NetBIOS inspect maps.

Add—Configures a new NetBIOS inspect map.

Edit—Edits the selected NetBIOS entry in the NetBIOS Inspect Maps table.

Delete—Deletes the inspect map selected in the NetBIOS Inspect Maps table.

Add/Edit NetBIOS Policy Map

The Add/Edit NetBIOS Policy Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > NetBIOS > NetBIOS Inspect Map > View

The Add/Edit NetBIOS Policy Map pane lets you configure the protocol violation settings for NetBIOS application inspection maps.

Fields

Name—When adding a NetBIOS map, enter the name of the NetBIOS map. When editing an NetBIOS map, the name of the previously configured NetBIOS map is shown.

Description—Enter the description of the NetBIOS map, up to 200 characters in length.

Check for protocol violations—Checks for protocol violations and executes specified action.

Action—Drop packet or log.

Log—Enable or disable.

PPTP Inspection

PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and managing the PPTP GRE tunnels. The GRE tunnels carries PPP sessions between the two hosts.

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.

PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 1701, RFC 1702].

Specifically, the ASA 1000V inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing-call request and reply sequence are tracked. Connections and xlates are dynamic allocated as necessary to permit subsequent secondary GRE data traffic.

The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and RFC 1702).

As described in RFC 2637, the PPTP protocol is mainly used for the tunneling of PPP sessions initiated from a modem bank PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server). When used this way, the PAC is the remote client and the PNS is the server.

However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user PC that initiates connection to the head-end PAC to gain access to a central network.

SMTP and Extended SMTP Inspection

This section describes the IM inspection engine. This section includes the following topics:

SMTP and ESMTP Inspection Overview

Select ESMTP Map

ESMTP Inspect Map

MIME File Type Filtering

Add/Edit ESMTP Policy Map (Security Level)

Add/Edit ESMTP Policy Map (Details)

Add/Edit ESMTP Inspect

SMTP and ESMTP Inspection Overview

ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA 1000V and by adding monitoring capabilities.

ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.

Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA 1000V supports a total of fifteen SMTP commands.

Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as "500 Command unknown: 'XXX'." Incomplete commands are discarded.

The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for the "2", "0", "0" characters. Carriage return (CR) and linefeed (LF) characters are ignored.

With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.

An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:

Restricts SMTP requests to seven basic SMTP commands and eight extended commands.

Monitors the SMTP command-response sequence.

Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more information, see RFC 821.

SMTP inspection monitors the command and response sequence for the following anomalous signatures:

Truncated commands.

Incorrect command termination (not terminated with <CR><LR>).

The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank space) and "<" ‚">" are only allowed if they are used to define a mail address (">" must be preceded by "<").

Unexpected transition by the SMTP server.

For unknown commands, the ASA 1000V changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packed, the TCP checksum has to be recalculated or adjusted.

TCP stream editing.

Command pipelining.

Select ESMTP Map

The Select ESMTP Map dialog box is accessible as follows:

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select ESMTP Map

The Select ESMTP Map dialog box lets you select or create a new ESMTP map. An ESMTP map lets you change the configuration values used for ESMTP application inspection. The Select ESMTP Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Use the default ESMTP inspection map—Specifies to use the default ESMTP map.

Select an ESMTP map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add Policy Map dialog box for the inspection.

ESMTP Inspect Map

The ESMTP Inspect Map dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > ESMTP

The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection.

Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay.

Fields

ESMTP Inspect Maps—Table that lists the defined ESMTP inspect maps.

Add—Configures a new ESMTP inspect map. To edit an ESMTP inspect map, choose the ESMTP entry in the ESMTP Inspect Maps table and click Customize.

Delete—Deletes the inspect map selected in the ESMTP Inspect Maps table.

Security Level—Select the security level (high, medium, or low).

Low—Default.

Log if command line length is greater than 512

Log if command recipient count is greater than 100

Log if body line length is greater than 1000

Log if sender address length is greater than 320

Log if MIME file name length is greater than 255

Medium

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections if sender address length is greater than 320

Drop Connections if MIME file name length is greater than 255

High

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections and log if sender address length is greater than 320

Drop Connections and log if MIME file name length is greater than 255

MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.

Customize—Opens the Add/Edit ESMTP Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

MIME File Type Filtering

The MIME File Type Filtering dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > ESMTP > MIME File Type Filtering

The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add MIME File Type Filter dialog box to add a MIME file type filter.

Edit—Opens the Edit MIME File Type Filter dialog box to edit a MIME file type filter.

Delete—Deletes a MIME file type filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Add/Edit ESMTP Policy Map (Security Level)

The Add/Edit ESMTP Policy Map (Security Level) dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > ESMTP > ESMTP Inspect Map > Basic View

The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps.

Fields

Name—When adding an ESMTP map, enter the name of the ESMTP map. When editing an ESMTP map, the name of the previously configured ESMTPS map is shown.

Description—Enter the description of the ESMTP map, up to 200 characters in length.

Security Level—Select the security level (high, medium, or low).

Low—Default.

Log if command line length is greater than 512

Log if command recipient count is greater than 100

Log if body line length is greater than 1000

Log if sender address length is greater than 320

Log if MIME file name length is greater than 255

Medium

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections if sender address length is greater than 320

Drop Connections if MIME file name length is greater than 255

High

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections and log if sender address length is greater than 320

Drop Connections and log if MIME file name length is greater than 255

MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.

Default Level—Sets the security level back to the default level of Low.

Details—Shows the Parameters and Inspections tabs to configure additional settings.

Add/Edit ESMTP Policy Map (Details)

The Add/Edit ESMTP Policy Map (Details) dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View

The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps.

Fields

Name—When adding an ESMTP map, enter the name of the ESMTP map. When editing an ESMTP map, the name of the previously configured ESMTP map is shown.

Description—Enter the description of the ESMTP map, up to 200 characters in length.

Security Level—Shows the security level and mime file type filtering settings to configure.

Parameters—Tab that lets you configure the parameters for the ESMTP inspect map.

Mask server banner—Enforces banner obfuscation.

Configure Mail Relay—Enables ESMTP mail relay.

Domain Name—Specifies a local domain.

Action—Drop connection or log.

Log—Enable or disable.

Inspections—Tab that shows you the ESMTP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the ESMTP inspection.

Value—Shows the value to match in the ESMTP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP inspection.

Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection.

Delete—Deletes an ESMTP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Add/Edit ESMTP Inspect

The Add/Edit ESMTP Inspect dialog box is accessible as follows:

Configuration > Global Objects  > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View  > Add/Edit ESMTP Inspect

The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP inspect map.

Fields

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of ESMTP traffic to match.

Body Length—Match body length at specified length in bytes.

Body Line Length—Match body line length matching at specified length in bytes.

Commands—Match commands exchanged in the ESMTP protocol.

Command Recipient Count—Match command recipient count greater than number specified.

Command Line Length—Match command line length greater than length specified in bytes.

EHLO Reply Parameters—Match an ESMTP ehlo reply parameter.

Header Length—Match header length at length specified in bytes.

Header To Fields Count—Match header To fields count greater than number specified.

Invalid Recipients Count—Match invalid recipients count greater than number specified.

MIME File Type—Match MIME file type.

MIME Filename Length—Match MIME filename.

MIME Encoding—Match MIME encoding.

Sender Address—Match sender email address.

Sender Address Length—Match sender email address length.

Body Length Criterion Values—Specifies the value details for body length match.

Greater Than Length—Body length in bytes.

Action—Reset, drop connection, log.

Log—Enable or disable.

Body Line Length Criterion Values—Specifies the value details for body line length match.

Greater Than Length—Body line length in bytes.

Action—Reset, drop connection, log.

Log—Enable or disable.

Commands Criterion Values—Specifies the value details for command match.

Available Commands Table:

AUTH

DATA

EHLO

ETRN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SOML

VRFY

Add—Adds the selected command from the Available Commands table to the Selected Commands table.

Remove—Removes the selected command from the Selected Commands table.

Primary Action—Mask, Reset, Drop Connection, None, Limit Rate (pps).

Log—Enable or disable.

Rate Limit—Do not limit rate, Limit Rate (pps).

Command Recipient Count Criterion Values—Specifies the value details for command recipient count match.

Greater Than Count—Specify command recipient count.

Action—Reset, drop connection, log.

Log—Enable or disable.

Command Line Length Criterion Values—Specifies the value details for command line length.

Greater Than Length—Command line length in bytes.

Action—Reset, drop connection, log.

Log—Enable or disable.

EHLO Reply Parameters Criterion Values—Specifies the value details for EHLO reply parameters match.

Available Parameters Table:

8bitmime

auth

binarymime

checkpoint

dsn

ecode

etrn

others

pipelining

size

vrfy

Add—Adds the selected parameter from the Available Parameters table to the Selected Parameters table.

Remove—Removes the selected command from the Selected Commands table.

Action—Reset, Drop Connection, Mask, Log.

Log—Enable or disable.

Header Length Criterion Values—Specifies the value details for header length match.

Greater Than Length—Header length in bytes.

Action—Reset, Drop Connection, Mask, Log.

Log—Enable or disable.

Header To Fields Count Criterion Values—Specifies the value details for header To fields count match.

Greater Than Count—Specify command recipient count.

Action—Reset, drop connection, log.

Log—Enable or disable.

Invalid Recipients Count Criterion Values—Specifies the value details for invalid recipients count match.

Greater Than Count—Specify command recipient count.

Action—Reset, drop connection, log.

Log—Enable or disable.

MIME File Type Criterion Values—Specifies the value details for MIME file type match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Action—Reset, drop connection, log.

Log—Enable or disable.

MIME Filename Length Criterion Values—Specifies the value details for MIME filename length match.

Greater Than Length—MIME filename length in bytes.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.

Available Encodings table

7bit

8bit

base64

binary

others

quoted-printable

Add—Adds the selected parameter from the Available Encodings table to the Selected Encodings table.

Remove—Removes the selected command from the Selected Commands table.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

Sender Address Criterion Values—Specifies the value details for sender address match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

Sender Address Length Criterion Values—Specifies the value details for sender address length match.

Greater Than Length—Sender address length in bytes.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

TFTP Inspection

TFTP inspection is enabled by default.

TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client.

The ASA 1000V inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server. Specifically, the inspection engine inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).

A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file transfer or error notification.

Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete secondary channel can exist between the TFTP client and server. An error notification from the server closes the secondary channel.

TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic.