Cisco ASA 5505 User Manual

Page 871

Advertising
background image

42-7

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 42 Getting Started with Application Layer Protocol Inspection

Configuring Application Layer Protocol Inspection

Tip

We suggest that you only inspect traffic on ports on which you expect application traffic; if you
inspect all traffic, for example using match any, the ASA performance can be impacted.

If you want to match non-standard ports, then create a new class map for the non-standard ports. See the

“Default Settings” section on page 42-4

for the standard ports for each inspection engine. You can

combine multiple class maps in the same policy if desired, so you can create one class map to match
certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class. To enable SNMP inspection, enable SNMP inspection for the default class in

Step 5

. Do not add

another class that matches SNMP.

For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter
the following commands:

hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0

192.168.1.0 255.255.255.0

hostname(config)# class-map inspection_default

hostname(config-cmap)# match access-list inspect

View the entire class map using the following command:

hostname(config-cmap)# show running-config class-map inspection_default

!

class-map inspection_default

match default-inspection-traffic

match access-list inspect

!

To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies
the ports, and assign it to a new class map:

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056

hostname(config)# class-map new_inspection

hostname(config-cmap)# match access-list ftp_inspect

Step 2

(Optional) Some inspection engines let you control additional parameters when you apply the inspection
to the traffic. See the following sections to configure an inspection policy map for your application:

DCERPC—See the

“Configuring a DCERPC Inspection Policy Map for Additional Inspection

Control” section on page 46-2

DNS—See the

“Configuring a DNS Inspection Policy Map for Additional Inspection Control”

section on page 43-7

ESMTP—See the

“Configuring an ESMTP Inspection Policy Map for Additional Inspection

Control” section on page 43-32

FTP—See the

“Configuring an FTP Inspection Policy Map for Additional Inspection Control”

section on page 43-12

.

GTP—See the

“Configuring a GTP Inspection Policy Map for Additional Inspection Control”

section on page 46-4

.

H323—See the

“Configuring an H.323 Inspection Policy Map for Additional Inspection Control”

section on page 44-6

HTTP—See the

“Configuring an HTTP Inspection Policy Map for Additional Inspection Control”

section on page 43-17

.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals