The following topics explain application inspection for basic Internet protocols. For information on why you need to use inspection for certain protocols, and the overall methods for applying inspection, see Getting Started with Application Layer Protocol Inspection.
The following sections describe DNS application inspection.
DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks:
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
See the following default DNS inspection commands:
DNS inspection is enabled by default. You need to configure it only if you want non-default processing. If you want to customize DNS inspection, use the following process.
Step 1 Configure DNS Inspection Policy Map.
Step 2 Configure the DNS Inspection Service Policy.
You can create a DNS inspection policy map to customize DNS inspection actions if the default inspection behavior is not sufficient for your network.
When defining traffic matching criteria, you can either create a class map or include the match statements directly in the policy map. The following procedure explains both approaches.
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
Step 1 (Optional) Create a DNS inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly in the policy map.
a. Create the class map by entering the following command:
Where the class_map_name is the name of the class map. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The match-any keyword specifies that the traffic matches the class map if it matches at least one match statement. The CLI enters class-map configuration mode, where you can enter one or more match commands.
b. (Optional) To add a description to the class map, enter the following command:
Where string is the description of the class map (up to 200 characters).
c. Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
d. Enter exit to leave class map configuration mode.
Step 2 Create a DNS inspection policy map, enter the following command:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 3 (Optional) To add a description to the policy map, enter the following command:
Step 4 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
b. Specify the action you want to perform on the matching traffic by entering the following command:
Not all options are available for each match or class command. See the CLI help or the command reference for the exact options available.
The drop keyword drops all packets that match.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet. This action is available for header flag matches only.
The log keyword, which you can use alone or with one of the other keywords, sends a system log message.
The enforce-tsig {[ drop ] [ log ]} keyword enforces the presence of the TSIG resource record in a message. You can drop a packet without the TSIG resource record, log it, or drop and log it. You can use this option in conjunction with the mask action for header flag matches; otherwise, this action is exclusive with the other actions.
You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see Defining Actions in an Inspection Policy Map.
Step 5 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option:
The following example shows a how to define a DNS inspection policy map.
The default ASA configuration includes DNS inspection on the default port applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list dns
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for DNS inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure DNS inspection.
Note If you are editing the default global policy (or any in-use policy) to use a different DNS inspection policy map (for example, you are replacing the default preset_dns_map), you must remove the DNS inspection with the no inspect dns command, and then re-add it with the new DNS inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
The following example shows a how to use a new inspection policy map in the global default configuration:
To view information about the current DNS connections, enter the following command:
For connections using a DNS server, the source port of the connection may be replaced by the IP address of the DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design.
To display the statistics for DNS application inspection, enter the show service-policy command. The following is sample output from the show service-policy command:
The following sections describe the FTP inspection engine.
The FTP application inspection inspects the FTP sessions and performs four tasks:
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels are negotiated through PORT or PASV commands. The channels are allocated in response to a file upload, a file download, or a directory listing event.
Note If you disable FTP inspection engines with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
Strict FTP increases the security of protected networks by preventing web browsers from sending embedded commands in FTP requests. To enable strict FTP, include the strict option with the inspect ftp command.
When you use strict FTP, you can optionally specify an FTP inspection policy map to specify FTP commands that are not permitted to pass through the ASA.
After you enable the strict option on an interface, FTP inspection enforces the following behavior:
If the strict option is enabled, each FTP command and response sequence is tracked for the following anomalous activity:
FTP inspection is enabled by default. You need to configure it only if you want non-default processing. If you want to customize FTP inspection, use the following process.
Step 1 Configure an FTP Inspection Policy Map.
Step 2 Configure the FTP Inspection Service Policy.
FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation.
Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.
If you want FTP inspection to allow FTP servers to reveal their system type to FTP clients, and limit the allowed FTP commands, then create and configure an FTP inspection policy map. You can then apply the map when you enable FTP inspection.
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
Step 1 (Optional) Create an FTP inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly in the policy map.
a. Create the class map by entering the following command:
Where the class_map_name is the name of the class map. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The match-any keyword specifies that the traffic matches the class map if it matches at least one match statement. The CLI enters class-map configuration mode, where you can enter one or more match commands.
b. (Optional) To add a description to the class map, enter the following command:
Where string is the description of the class map (up to 200 characters).
c. Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
CDUP —Changes to the parent directory of the current working directory.
DELE —Delete a file on the server.
GET —Gets a file from the server.
HELP —Provides help information.
MKD —Makes a directory on the server.
PUT —Sends a file to the server.
RMD —Deletes a directory on the server.
RNFR —Specifies the “rename-from” filename.
RNTO —Specifies the “rename-to” filename.
SITE —Used to specify a server-specific command. This is usually used for remote administration.
STOU —Stores a file using a unique file name.
d. Enter exit to leave class map configuration mode.
Step 2 Create an FTP inspection policy map:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 3 (Optional) To add a description to the policy map, enter the following command:
Step 4 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
b. Specify the action you want to perform on the matching traffic by entering the following command:
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or client. Add the log keyword to send a system log message.
You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see Defining Actions in an Inspection Policy Map.
Step 5 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option:
Before submitting a username and password, all FTP users are presented with a greeting banner. By default, this banner includes version information useful to hackers trying to identify weaknesses in a system. The following example shows how to mask this banner:
The default ASA configuration includes FTP inspection on the default port applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list ftp
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for FTP inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure FTP inspection.
Note If you are editing the default global policy (or any in-use policy) to use a different FTP inspection policy map, you must remove the FTP inspection with the no inspect ftp command, and then re-add it with the new FTP inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
FTP application inspection generates the following log messages:
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.
The following sections describe the HTTP inspection engine.
Tip You can install a service module that performs application and URL filtering, which includes HTTP inspection, such as ASA CX or ASA FirePOWER. The HTTP inspection running on the ASA is not compatible with these modules. Note that it is far easier to configure application filtering using a purpose-built module rather than trying to manually configure it on the ASA using an HTTP inspection policy map.
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated with HTTP traffic.
HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available when you configure an HTTP inspection policy map, can help prevent attackers from using HTTP messages for circumventing network security policy.
HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported.
Enhanced HTTP inspection verifies the following for all HTTP messages:
HTTP inspection is not enabled by default. If you are not using a purpose-built module for HTTP inspection and application filtering, such as ASA CX or ASA FirePOWER, you can manually configure HTTP inspection on the ASA using the following process.
Tip Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not compatible.
Step 1 Configure an HTTP Inspection Policy Map.
Step 2 Configure the HTTP Inspection Service Policy.
To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can then apply the inspection policy map when you enable HTTP inspection.
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
Step 1 (Optional) Create an HTTP inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly in the policy map.
a. Create the class map by entering the following command:
Where the class_map_name is the name of the class map. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The match-any keyword specifies that the traffic matches the class map if it matches at least one match statement. The CLI enters class-map configuration mode, where you can enter one or more match commands.
b. (Optional) To add a description to the class map, enter the following command:
Where string is the description of the class map (up to 200 characters).
c. Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
d. Enter exit to leave class map configuration mode.
Step 2 Create an HTTP inspection policy map:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 3 (Optional) To add a description to the policy map, enter the following command:
Step 4 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
b. Specify the action you want to perform on the matching traffic by entering the following command:
The drop-connection keyword drops the packet and closes the connection.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log message.
You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see Defining Actions in an Inspection Policy Map.
Step 5 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option:
The following example shows how to define an HTTP inspection policy map that will allow and log any HTTP connection that attempts to access “www\.xyz.com/.*\.asp" or "www\.xyz[0-9][0-9]\.com" with methods "GET" or "PUT." All other URL/Method combinations will be silently allowed.
HTTP inspection is not enabled in the default inspection policy, so you must enable it if you need this inspection. However, the default inspect class does include the default HTTP ports, so you can simply edit the default global inspection policy to add HTTP inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list http
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for HTTP inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure HTTP inspection.
Where http_policy_map is the optional HTTP inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the HTTP inspection policy map, see Configure an HTTP Inspection Policy Map.
Note If you are editing the default global policy (or any in-use policy) to use a different HTTP inspection policy map, you must remove the HTTP inspection with the no inspect http command, and then re-add it with the new HTTP inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct.
However, ICMP traffic directed to an ASA interface is never inspected, even if you enable ICMP inspection. Thus, a ping (echo request) to an interface can fail under specific circumstances, such as when the echo request comes from a source that the ASA can reach through a backup default route.
For information on enabling ICMP inspection, see Configure Application Layer Protocol Inspection.
When ICMP Error inspection is enabled, the ASA creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The ASA overwrites the packet with the translated IP addresses.
When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP error messages. ICMP error messages generated by the intermediate nodes between the inside host and the ASA reach the outside host without consuming any additional NAT resource. This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the ASA. When the ASA does not translate the intermediate hops, all the intermediate hops appear with the mapped destination IP address.
The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved five-tuple, a lookup is performed to determine the original address of the client. The ICMP error inspection engine makes the following changes to the ICMP packet:
– Original packet mapped IP is changed to the real IP
– Original packet mapped port is changed to the real Port
– Original packet IP checksum is recalculated
For information on enabling ICMP Error inspection, see Configure Application Layer Protocol Inspection.
The Instant Messaging (IM) inspect engine lets you control the network usage of IM and stop leakage of confidential data, propagation of worms, and other threats to the corporate network.
IM inspection is not enabled by default. You must configure it if you want IM inspection.
Step 1 Configure an Instant Messaging Inspection Policy Map.
Step 2 Configure the IM Inspection Service Policy.
To specify actions when a message violates a parameter, create an IM inspection policy map. You can then apply the inspection policy map when you enable IM inspection.
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
Step 1 (Optional) Create an IM inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly in the policy map.
a. Create the class map by entering the following command:
Where the class_map_name is the name of the class map. The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map. The match-any keyword specifies that the traffic matches the class map if it matches at least one match statement. The CLI enters class-map configuration mode, where you can enter one or more match commands.
b. (Optional) To add a description to the class map, enter the following command:
Where string is the description of the class map (up to 200 characters).
c. Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
d. Enter exit to leave class map configuration mode.
Step 2 Create an IM inspection policy map:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 3 (Optional) To add a description to the policy map, enter the following command:
Step 4 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
b. Specify the action you want to perform on the matching traffic by entering the following command:
The drop-connection keyword drops the packet and closes the connection.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log message.
You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see Defining Actions in an Inspection Policy Map.
The following example shows how to define an IM inspection policy map.
IM inspection is not enabled in the default inspection policy, so you must enable it if you need this inspection. However, the default inspect class does include the default IM ports, so you can simply edit the default global inspection policy to add IM inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list im
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for IM inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure IM inspection.
Where im_policy_map is the optional IM inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the IM inspection policy map, see Configure an Instant Messaging Inspection Policy Map.
Note If you are editing the default global policy (or any in-use policy) to use a different IM inspection policy map, you must remove the IM inspection with the no inspect im command, and then re-add it with the new IM inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.
The following sections describe the IP Options inspection engine.
Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for most common communications. In particular, IP Options include provisions for time stamps, security, and special routing. Use of IP Options is optional, and the field can contain zero, one, or more options.
For a list of IP options, with references to the relevant RFCs, see the IANA page, http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.
When you configure an IP options inspection policy map, you can specify whether you want to allow or clear each option type. If you do not specify an option type, packets that contain the option are dropped.
If you simply allow an option, packets containing the option are passed through unchanged.
If you specify that you want to clear an option from IP headers, the IP header changes in the following ways:
IP Options inspection can check for the following IP options in a packet. If an IP header contains additional options other these, regardless of whether the ASA is configured to allow these options, the ASA will drop the packet.
IP Options inspection is enabled by default, using the _default_ip_options_map inspection policy map.
Following is the policy map configuration:
IP options inspection is enabled by default. You need to configure it only if you want to allow additional options than the default map allows.
Step 1 Configure an IP Options Inspection Policy Map.
Step 2 Configure the IP Options Inspection Service Policy.
If you want to perform non-default IP options inspection, create an IP options inspection policy map to specify how you want to handle each supported option type.
Step 1 Create an IP options inspection policy map:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
Step 3 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option. In all cases, the allow action allows packets that contain the option without modification; the clear action allows the packets but removes the option from the header. Any packet that contains an option that you do not include in the map is dropped. For a description of the options, see Supported IP Options for Inspection.
The default ASA configuration includes IP options inspection applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list ipoptions
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for IP options inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure IP options inspection.
Where ip_options_policy_map is the optional IP options inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the IP options inspection policy map, see Configure an IP Options Inspection Policy Map.
Note If you are editing the default global policy (or any in-use policy) to use a different IP options inspection policy map, you must remove the IP options inspection with the no inspect ip-options command, and then re-add it with the new IP options inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
You can use these techniques to monitor the results of IP options inspection:
The following sections describe the IPsec Pass Through inspection engine.
Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example, computer users or servers), between a pair of security gateways (such as routers or firewalls), or between a security gateway and a host.
IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL configuration to permit ESP and AH traffic and also provides security using timeout and max connections.
Configure a policy map for IPsec Pass Through to specify the restrictions for ESP or AH traffic. You can set the per client max connections and the idle timeout.
NAT and non-NAT traffic is permitted. However, PAT is not supported.
IPsec Pass Through inspection is not enabled by default. You must configure it if you want IPsec Pass Through inspection.
Step 1 Configure an IPsec Pass Through Inspection Policy Map.
Step 2 Configure the IPsec Pass Through Inspection Service Policy.
An IPsec Pass Through map lets you change the default configuration values used for IPsec Pass Through application inspection. You can use an IPsec Pass Through map to permit certain flows without using an ACL.
The configuration includes a default map, _default_ipsec_passthru_map, that sets no maximum limit on ESP connections per client, and sets the ESP idle timeout at 10 minutes. You need to configure an inspection policy map only if you want different values, or if you want to set AH values.
Step 1 Create an IPsec Pass Through inspection policy map:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
Step 3 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option:
The following example shows how to use ACLs to identify IKE traffic, define an IPsec Pass Thru parameter map, define a policy, and apply the policy to the outside interface:
IPsec Pass Through inspection is not enabled in the default inspection policy, so you must enable it if you need this inspection. However, the default inspect class does include the default IPsec ports, so you can simply edit the default global inspection policy to add IPsec inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list ipsec
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for IPsec Pass Through inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure IPsec Pass Through inspection.
Where ipsec_policy_map is the optional IPsec Pass Through inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the inspection policy map, see Configure an IPsec Pass Through Inspection Policy Map.
Note If you are editing the default global policy (or any in-use policy) to use a different IPsec Pass Through inspection policy map, you must remove the IPsec Pass Through inspection with the no inspect ipsec-pass-thru command, and then re-add it with the new IPsec Pass Thruough inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
IPv6 inspection lets you selectively log or drop IPv6 traffic based on the extension header. In addition, IPv6 inspection can check conformance to RFC 2460 for type and order of extension headers in IPv6 packets.
If you enable IPv6 inspection and do not specify an inspection policy map, then the default IPv6 inspection policy map is used, and the following actions are taken:
Following is the policy map configuration:
IPv6 inspection is not enabled by default. You must configure it if you want IPv6 inspection.
Step 1 Configure an IPv6 Inspection Policy Map.
Step 2 Configure the IPv6 Inspection Service Policy.
To identify extension headers to drop or log, or to disable packet verification, create an IPv6 inspection policy map to be used by the service policy.
Step 1 Create an IPv6 inspection policy map.
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) Add a description to the policy map.
Step 3 (Optional) Drop or log traffic based on the headers in IPv6 messages.
a. Identify the traffic based on the IPv6 header.
Where type is one of the following:
b. Specify the action to perform on matching packets. You can drop the packet and optionally log it, or just log it. If you do not enter an action, the packet is logged.
c. Repeat the process until you identify all headers that you want to drop or log.
Step 4 Configure parameters that affect the inspection engine.
a. Enter parameters configuration mode.
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option:
The following example creates an inspection policy map that will drop and log all IPv6 packets with the hop-by-hop, destination-option, routing-address, and routing type 0 headers. It also enforces header order and type.
IPv6 inspection is not enabled in the default inspection policy, so you must enable it if you need this inspection. You can simply edit the default global inspection policy to add IPv6 inspection. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list ipv6
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for IPv6 inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure IPv6 inspection.
Where ipv6_policy_map is the optional IPv6 inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the inspection policy map, see Configure an IPv6 Inspection Policy Map.
Note If you are editing the default global policy (or any in-use policy) to use a different IPv6 inspection policy map, you must remove the IPv6 inspection with the no inspect ipv6 command, and then re-add it with the new IPv6 inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
NetBIOS inspection is enabled by default. The NetBIOS inspection engine translates IP addresses in the NetBIOS name service (NBNS) packets according to the ASA NAT configuration. You can optionally create a policy map to drop or log NetBIOS protocol violations.
Step 1 Configure a NetBIOS Inspection Policy Map for Additional Inspection Control.
Step 2 Configure the NetBIOS Inspection Service Policy.
To specify the action for protocol violations, create a NETBIOS inspection policy map. You can then apply the inspection policy map when you enable NETBIOS inspection.
Step 1 Create a NetBIOS inspection policy map.
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
Step 3 Enter parameters configuration mode.
Step 4 Specify the action to take for NETBIOS protocol violations.
Where the drop action drops the packet. The log action sends a system log message when this policy map matches traffic.
NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets. It also enforces protocol conformance, checking the various count and length fields for consistency.
The default ASA configuration includes NetBIOS inspection on the default port applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list netbios
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for NetBIOS inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure NetBIOS inspection.
Where netbios_policy_map is the optional NetBIOS inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the NetBIOS inspection policy map, see Configure a NetBIOS Inspection Policy Map for Additional Inspection Control.
Note If you are editing the default global policy (or any in-use policy) to use a different NetBIOS inspection policy map, you must remove the NetBIOS inspection with the no inspect skinny command, and then re-add it with the new NetBIOS inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and managing the PPTP GRE tunnels. The GRE tunnels carry PPP sessions between the two hosts.
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic.
Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing-call request and reply sequence are tracked. Connections and xlates are dynamic allocated as necessary to permit subsequent secondary GRE data traffic.
The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and RFC 1702).
For information on enabling PPTP inspection, see Configure Application Layer Protocol Inspection.
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer overflow/underflow attacks. It also provides support for application security and protocol conformance, which enforce the sanity of the ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay.
The following sections describe the ESMTP inspection engine.
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as “500 Command unknown: 'XXX'.” Incomplete commands are discarded.
The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
ESMTP inspection is enabled by default, using the _default_esmtp_map inspection policy map.
Following is the policy map configuration:
ESMTP inspection is enabled by default. You need to configure it only if you want to different process than that provided by the default inspection map.
Step 1 Configure an ESMTP Inspection Policy Map.
Step 2 Configure the ESMTP Inspection Service Policy.
To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You can then apply the inspection policy map when you enable ESMTP inspection.
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
Step 1 Create an ESMTP inspection policy map, enter the following command:
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
Step 2 (Optional) To add a description to the policy map, enter the following command:
Step 3 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following match commands. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied.
b. Specify the action you want to perform on the matching traffic by entering the following command:
Not all options are available for each match command. See the CLI help or the command reference for the exact options available.
You can specify multiple match commands in the policy map. For information about the order of match commands, see Defining Actions in an Inspection Policy Map.
Step 4 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
b. Set one or more parameters. You can set the following options; use the no form of the command to disable the option:
The following example shows how to define an ESMTP inspection policy map.
The default ASA configuration includes ESMTP inspection applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. You can alternatively create a new service policy as desired, for example, an interface-specific policy.
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
hostname(config-cmap)# match access-list esmtp
In the default global policy, the inspection_default class map is a special class map that includes default ports for all inspection types (match default-inspection-traffic). If you are using this class map in either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps).
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
In the default configuration, the global_policy policy map is assigned globally to all interfaces. If you want to edit the global_policy, enter global_policy as the policy name.
Step 3 Identify the L3/L4 class map you are using for IP options inspection.
To edit the default policy, or to use the special inspection_default class map in a new policy, specify inspection_default for the name. Otherwise, you are specifying the class you created earlier in this procedure.
Step 4 Configure ESMTP inspection.
Where esmtp_policy_map is the optional ESMTP inspection policy map. You need a map only if you want non-default inspection processing. For information on creating the ESMTP inspection policy map, see Configure the ESMTP Inspection Service Policy.
Note If you are editing the default global policy (or any in-use policy) to use a different inspection policy map, you must remove the ESMTP inspection with the no inspect esmtp command, and then re-add it with the new inspection policy map name.
Step 5 If you are editing an existing service policy (such as the default global policy called global_policy), you are done. Otherwise, activate the policy map on one or more interfaces.
The global keyword applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
TFTP inspection is enabled by default.
TFTP, described in RFC 1350, is a simple protocol to read and write files between a TFTP server and client.
The ASA inspects TFTP traffic and dynamically creates connections and translations, if necessary, to permit file transfer between a TFTP client and server. Specifically, the inspection engine inspects TFTP read request (RRQ), write request (WRQ), and error notification (ERROR).
A dynamic secondary channel and a PAT translation, if necessary, are allocated on a reception of a valid read (RRQ) or write (WRQ) request. This secondary channel is subsequently used by TFTP for file transfer or error notification.
Only the TFTP server can initiate traffic over the secondary channel, and at most one incomplete secondary channel can exist between the TFTP client and server. An error notification from the server closes the secondary channel.
TFTP inspection must be enabled if static PAT is used to redirect TFTP traffic.
For information on enabling TFTP inspection, see Configure Application Layer Protocol Inspection.