Configuring application layer protocol inspection, For a list, Configuring – Cisco ASA 5505 User Manual

Page 870

Advertising
background image

42-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 42 Getting Started with Application Layer Protocol Inspection

Configuring Application Layer Protocol Inspection

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Configuring Application Layer Protocol Inspection

This feature uses Modular Policy Framework to create a service policy. Service policies provide a
consistent and flexible way to configure ASA features. For example, you can use a service policy to
create a timeout configuration that is specific to a particular TCP application, as opposed to one that
applies to all TCP applications. See

Chapter 32, “Configuring a Service Policy Using the Modular Policy

Framework,”

for more information. For some applications, you can perform special actions when you

enable inspection. See

Chapter 32, “Configuring a Service Policy Using the Modular Policy

Framework,”

for more information.

Inspection is enabled by default for some applications. See the

“Default Settings”

section for more

information. Use this section to modify your inspection policy.

Detailed Steps

Step 1

To identify the traffic to which you want to apply inspections, add either a Layer 3/4 class map for
through traffic or a Layer 3/4 class map for management traffic. See the

“Creating a Layer 3/4 Class Map

for Through Traffic” section on page 32-12

and

“Creating a Layer 3/4 Class Map for Management

Traffic” section on page 32-14

for detailed information. The management Layer 3/4 class map can be

used only with the RADIUS accounting inspection.

The default Layer 3/4 class map for through traffic is called “inspection_default.” It matches traffic using
a special match command, match default-inspection-traffic, to match the default ports for each
application protocol. This traffic class (along with match any, which is not typically used for inspection)
matches both IPv4 and IPv6 traffic for inspections that support IPv6. See the

“Guidelines and

Limitations” section on page 42-3

for a list of IPv6-enabled inspections.

You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the match
default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals