Detailed Steps
Step 1 To identify the traffic to which you want to apply inspections, add either a Layer 3/4 class map for through traffic or a Layer 3/4 class map for management traffic. See the “Creating a Layer 3/4 Class Map for Through Traffic” section and “Creating a Layer 3/4 Class Map for Management Traffic” section for detailed information. The management Layer 3/4 class map can be used only with the RADIUS accounting inspection.
The default Layer 3/4 class map for through traffic is called “inspection_default.” It matches traffic using a special
match
command,
match default-inspection-traffic
, to match the default ports for each application protocol. This traffic class (along with
match any
, which is not typically used for inspection) matches both IPv4 and IPv6 traffic for inspections that support IPv6. See the “Guidelines and Limitations” section for a list of IPv6-enabled inspections.
You can specify a
match
access-list
command along with the
match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the
match default-inspection-traffic
command specifies the ports to match, any ports in the ACL are ignored.
Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect all traffic, for example using match any, the ASA performance can be impacted.
If you want to match non-standard ports, then create a new class map for the non-standard ports. See the “Default Settings and NAT Limitations” section for the standard ports for each inspection engine. You can combine multiple class maps in the same policy if desired, so you can create one class map to match certain traffic, and another to match different traffic. However, if traffic matches a class map that contains an inspection command, and then matches another class map that also has an inspection command, only the first matching class is used. For example, SNMP matches the inspection_default class. To enable SNMP inspection, enable SNMP inspection for the default class in Step 5. Do not add another class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter the following commands:
ciscoasa(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 ciscoasa(config)# class-map inspection_default ciscoasa(config-cmap)# match access-list inspect
View the entire class map using the following command:
ciscoasa(config-cmap)# show running-config class-map inspection_default class-map inspection_default match default-inspection-traffic match access-list inspect
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an ACL that specifies the ports, and assign it to a new class map:
ciscoasa(config)# access-list ftp_inspect extended permit tcp any any eq 21 ciscoasa(config)# access-list ftp_inspect extended permit tcp any any eq 1056 ciscoasa(config)# class-map new_inspection ciscoasa(config-cmap)# match access-list ftp_inspect
Step 2 (Optional) Some inspection engines let you control additional parameters when you apply the inspection to the traffic. See the following sections to configure an inspection policy map for your application:
Step 3 To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the following command:
ciscoasa(config)# policy-map name
The default policy map is called “global_policy.” This policy map includes the default inspections listed in the “Default Settings and NAT Limitations” section. If you want to modify the default policy (for example, to add or delete an inspection, or to identify an additional class map for your actions), then enter
global_policy
as the name.
Step 4 To identify the class map from Step 1 to which you want to assign an action, enter the following command:
ciscoasa(config-pmap)# class class_map_name
If you are editing the default policy map, it includes the inspection_default class map. You can edit the actions for this class by entering
inspection_default
as the name. To add an additional class map to this policy map, identify a different name. You can combine multiple class maps in the same policy if desired, so you can create one class map to match certain traffic, and another to match different traffic. However, if traffic matches a class map that contains an inspection command, and then matches another class map that also has an inspection command, only the first matching class is used. For example, SNMP matches the inspection_default class map.To enable SNMP inspection, enable SNMP inspection for the default class in Step 5. Do not add another class that matches SNMP.
Step 5 Enable application inspection by entering the following command:
ciscoasa(config-pmap-c)# inspect protocol
The
protocol
is one of the following values:
Table 9-2 Protocol Keywords
|
|
ctiqbe
|
—
|
dcerpc
[
map_name
]
|
If you added a DCERPC inspection policy map according to “Configuring a DCERPC Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
dns
[
map_name
] [
dynamic-filter-snoop
]
|
If you added a DNS inspection policy map according to “(Optional) Configuring a DNS Inspection Policy Map and Class Map” section, identify the map name in this command. The default DNS inspection policy map name is “preset_dns_map.” The default inspection policy map sets the maximum DNS packet length to 512 bytes.
To enable DNS snooping for the Botnet Traffic Filter, enter the
dynamic-filter-snoop
keyword. See the “Enabling DNS Snooping” section for more information.
|
esmtp
[
map_name
]
|
If you added an ESMTP inspection policy map according to “Configuring an ESMTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
ftp
[
strict
[
map_name
]]
|
Use the
strict
keyword to increase the security of protected networks by preventing web browsers from sending embedded commands in FTP requests. See the “Using the strict Option” section for more information.
If you added an FTP inspection policy map according to “Configuring an FTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
gtp
[
map_name
]
|
If you added a GTP inspection policy map according to the “Configuring a GTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
h323 h225
[
map_name
]
|
If you added an H323 inspection policy map according to “Configuring an H.323 Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
h323 ras
[
map_name
]
|
If you added an H323 inspection policy map according to “Configuring an H.323 Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
http
[
map_name
]
|
If you added an HTTP inspection policy map according to the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
icmp
|
—
|
icmp error
|
—
|
ils
|
—
|
im
[
map_name
]
|
If you added an Instant Messaging inspection policy map according to “Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
ip-options
[
map_name
]
|
If you added an IP Options inspection policy map according to “Configuring an IP Options Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
ipsec-pass-thru
[
map_name
]
|
If you added an IPsec Pass Through inspection policy map according to “IPsec Pass Through Inspection” section, identify the map name in this command.
|
ipv6
[
map_name
]
|
If you added an IP Options inspection policy map according to “(Optional) Configuring an IPv6 Inspection Policy Map” section, identify the map name in this command.
|
mgcp
[
map_name
]
|
If you added an MGCP inspection policy map according to “Configuring an MGCP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
netbios
[
map_name
]
|
If you added a NetBIOS inspection policy map according to “Configuring a NetBIOS Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
pptp
|
—
|
radius-accounting
[
map_name
]
|
The
radius-accounting
keyword is only available for a management class map. See the “Creating a Layer 3/4 Class Map for Management Traffic” section for more information about creating a management class map.
If you added a RADIUS accounting inspection policy map according to “Configuring a RADIUS Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
rsh
|
—
|
rtsp
[
map_name
]
|
If you added a RTSP inspection policy map according to “Configuring an RTSP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
scansafe
[
map_name
]
|
If you added a ScanSafe (Cloud Web Security) inspection policy map according to “Configuring a Service Policy to Send Traffic to Cloud Web Security” section, identify the map name in this command.
|
sip
[
map_name
]
|
If you added a SIP inspection policy map according to “Configuring a SIP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
skinny
[
map_name
]
|
If you added a Skinny inspection policy map according to “Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
snmp
[
map_name
]
|
If you added an SNMP inspection policy map according to “Configuring an SNMP Inspection Policy Map for Additional Inspection Control” section, identify the map name in this command.
|
sqlnet
|
—
|
sunrpc
|
The default class map includes UDP port 111; if you want to enable Sun RPC inspection for TCP port 111, you need to create a new class map that matches TCP port 111, add the class to the policy, and then apply the
inspect sunrpc
command to that class.
|
tftp
|
—
|
waas
|
—
|
xdmcp
|
—
|
Step 6 To activate the policy map on one or more interfaces, enter the following command:
ciscoasa(config)# service-policy policymap_name {global | interface interface_name}
Where
global
applies the policy map to all interfaces, and
interface
applies the policy to one interface. By default, the default policy map, “global_policy,” is applied globally. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.