Selective Inspection

As previously mentioned, the match command allows you to specify what traffic the Cisco ASA inspection engine will process. It can be used in conjunction with an ACL to determine what traffic will be inspected. Example 8-3 shows all the supported options for traffic classification in a class map named UDPclass.

Example 8-3. Supported Traffic Classification Options

Chicago(config)# class-map UDPclass

Chicago(config-cmap)# match ?

mpf-class-map mode commands/options:

 access-list Match an Access List

 any Match any packet

 default-inspection-traffic Match default inspection traffic:

 ctiqbe----tcp--2748 dns-------udp--53

 ftp-------tcp--21 gtp-------udp--2123,3386

 h323-h225-tcp--1720 h323-ras--udp--1718-1719

 http------tcp--80 icmp------icmp

 ils-------tcp--389 mgcp------udp--2427,2727

 netbios---udp--137138 rpc-------udp--111

 rsh-------tcp--514 rtsp------tcp--554

 sip-------tcp--5060 sip-------udp--5060

 skinny----tcp--2000 smtp------tcp--25

 sqlnet----tcp--1521 tftp------udp--69

 xdmcp-----udp--177

 dscp Match IP DSCP (DiffServ CodePoints)

 flow Flow based Policy

 port Match TCP/UDP port(s)

 precedence Match IP precedence

 rtp Match RTP port numbers

 tunnel-group Match a Tunnel Group

Table 8-2 lists briefly describes all the options supported by the match command.

Table 8-2. match Subcommand Options

Option

Description

access-list

Specifies an ACL used to match or classify the traffic to be inspected.

any

Any IP traffic.

default-inspection-traffic

The default entry for inspection of the supported protocols. This match applies only to the inspect command. It cannot be associated with any action commands but inspect.

dscp

Matches based on IP DSCP (DiffServ CodePoints).

flow

Used for flow-based policy.

port

Used to match TCP and/or UDP ports.

precedence

Matches based on IP Precedence value represented by the TOS byte in the IP header. The precedence value can be in a range from 0 to 7.

rtp

Matches Real Time Protocol (RTP) port numbers.

tunnel-group

Matches VPN traffic of a specific tunnel group.

Note

Details on matching traffic based on DSCP, flow, precedence, and tunnel group are covered in Chapter 12.

To display statistics on the traffic being inspected on the Cisco ASA, use the show service-policy command. Example 8-4 shows the output of this command.

Example 8-4. Output of show service-policy Command

Chicago# show service-policy

Global policy:

 Service-policy: global_policy

 Class-map: inspection_default

 Inspect: dns maximum-length 512, packet 0, drop 0, reset-drop 0

 Inspect: ftp, packet 24, drop 0, reset-drop 0

 Inspect: h323 h225, packet 0, drop 0, reset-drop 0

 Inspect: h323 ras, packet 0, drop 0, reset-drop 0

 Inspect: netbios, packet 10, drop 0, reset-drop 0

 Inspect: rsh, packet 0, drop 0, reset-drop 0

 Inspect: rtsp, packet 0, drop 0, reset-drop 0

 Inspect: skinny, packet 0, drop 0, reset-drop 0

 Inspect: esmtp, packet 54, drop 0, reset-drop 0

 Inspect: sqlnet, packet 0, drop 0, reset-drop 0

 Inspect: sunrpc, packet 0, drop 0, reset-drop 0

 Inspect: tftp, packet 0, drop 0, reset-drop 0

 Inspect: sip, packet 0, drop 0, reset-drop 0

 Inspect: xdmcp, packet 0, drop 0, reset-drop 0

The following sections include information about each application inspection protocol supported on Cisco ASA.





Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net