Enabling Application Inspection Using the Modular Policy Framework

Cisco ASA provides a Modular Policy Framework (MPF) to provide application security or to perform quality of service (QoS) functions. MPF provides a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to the Cisco IOS Software Modular QoS CLI.


Chapter 12, "Quality of Service," covers the QoS functionality in detail.

As a general rule, the provisioning of inspection policies requires the following steps:

  1. Configure traffic classes to identify interesting traffic.
  2. Associate actions to each traffic class to create policies.
  3. Activate the policies on an interface.

These policy provisioning steps can be completed using these three main commands of the MPF:

  • class-map Classifies the traffic that will be inspected. Various types of match criteria in a class map can be used to classify traffic. The primary criterion is the use of an access control list (ACL). Example 8-1 demonstrates this.
  • policy-map Configures security or QoS policies. A policy consists of a class command and its associated actions. Additionally, a policy map can contain multiple policies.
  • service-policy Activates a policy map globally (on all interfaces) or on a targeted interface.

Example 8-1. Matching Specific Traffic Using an ACL

Chicago(config)# access-list udptraffic permit udp any any

Chicago(config)# class-map UDPclass

Chicago(config-cmap)# match access-list udptraffic

Chicago(config-cmap)# exit

Chicago(config)# policy-map udppolicy

Chicago(config-pmap)# class UDPclass

Chicago(config-pmap-c)# inspect tftp

Chicago(config-pmap-c)# exit

Chicago(config-pmap)# exit

Chicago(config)# service-policy udppolicy global

In Example 8-1, an ACL named udptraffic is configured to identify all UDP traffic. This ACL is then applied to a class map named UDPclass.

A policy map named udppolicy is configured that has the class map UDPclass mapped to it. The policy map is set up to inspect all TFTP traffic from the UDP packets that are being classified in the class map. Finally, the service policy is applied globally.

The security appliance contains a default class map named inspection_default and a policy map named asa_global_fw_policy. Example 8-2 shows the default class map and policy map in the Cisco ASA.

Example 8-2. Default Class and Policy Maps

class-map inspection_default

 match default-inspection-traffic



policy-map global_policy

 class inspection_default

 inspect dns maximum-length 512

 inspect ftp

 inspect h323 h225

 inspect h323 ras

 inspect netbios

 inspect rsh

 inspect rtsp

 inspect skinny

 inspect esmtp

 inspect sqlnet

 inspect sunrpc

 inspect tftp

 inspect sip

 inspect xdmcp


 service-policy global_policy global

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net