Monday, June 20, 2011

Chapter 9: Inspecting Traffic with the ASA (Part01)

.....update soon ......


Chapter 7: Inspecting Traffic

Add a note here Overview

Add a note here Refer to the following sections for information about these topics:

  • Add a note here 7-1: Filtering Content Covers third-party web content-filtering applications you can use to control outbound access through a firewall.

  • Add a note here 7-2: Defining Security Policies in a Modular Policy Framework Explains the modular approach to configuring and enforcing security policies. Traffic can be matched with one type of policy module and acted on within another policy module. The whole hierarchy of policies is then applied to firewall interfaces and traffic inspection.

  • Add a note here 7-3: Application Inspection Provides an overview of the mechanisms a Cisco firewall uses to inspect specific application traffic. Some applications embed information about their connections within normal UDP or TCP traffic, requiring additional inspection by the firewall.

Add a note here A firewall maintains the state of connections passing through it to provide effective security. Connection state involves parameters such as address translation, connection direction and flow, and limits on the connection itself. In addition, a firewall must be able to inspect various protocols as they pass through, so that the protocols themselves meet criteria defined in the security policies.

Add a note hereThis chapter covers the tools and features you can use to gain a more thorough inspection of traffic content. Your firewall can filter traffic based on its content, inspect traffic based on a hierarchical policy definition, and inspect many application layer protocols.

7-1: Filtering Content

Add a note hereA firewall normally allows outbound HTTP or HTTPS connections to any URL, provided that the outbound access list permits the connection. An audit trail of URL activity is available only through the firewall Syslog records, using Syslog message 304001 at the default severity level, 5 (notifications).

Add a note hereCisco firewalls can use third-party web content-filtering applications to enforce URL policies. These content filters run on a local server but download periodic updates of web content databases. Web content is categorized, and content rules can be applied to corporate users or groups of users.

Add a note hereWhen a user sends a URL request, the firewall relays the request to the content-filtering server. If the server determines that the user is allowed to view the URL and its content, the firewall permits the connection to proceed.

Add a note hereIf the content-filtering server denies the URL request, the firewall redirects the user’s browser to a “block” page, indicating that the server blocked or denied the request.

Add a note hereThe content-filtering server can apply its policies on a per-user basis if necessary. It obtains the user’s credentials (username, IP address, destination URL, and address) directly from the user’s host PC. This also provides an accounting log of user activity.

Add a note hereThe following commercial content-filtering applications are compatible with Cisco firewalls:

  • Add a note hereN2H2 (

  • Add a note hereWebsense (

Add a note here Configuring Content Filters

Add a note here You can use the following steps to configure content filtering on a Cisco firewall. The command syntax is basically the same across the FWSM, PIX, and ASA platforms, so only a single syntax form is shown for each command.


Add a note hereContent filtering is triggered by the HTTP inspection engine, which must be enabled before any content servers can be contacted. If you are about to configure content filtering, make sure you have the fixup protocol http (PIX 6.x) or inspect http (ASA and FWSM) command in the running configuration.

Add a note hereLikewise, if this command is disabled, Websense and N2H2 content filtering is disabled too.

  1. Add a note hereIdentify the filter servers:

    Add a note hereFirewall(config)# url-server [(if_name)] vendor n2h2 host local_ip
    [port number] [timeout seconds] [protocol {tcp | udp}]

    Add a note hereor

    Add a note hereFirewall(config)# url-server [(if_name)] vendor websense host local_ip
    [timeout seconds] [protocol {tcp | udp} version]

    Add a note hereThe filtering server is located on the firewall interface named (if_name) (the parentheses must be included) at the IP address local_ip. By default, the inside interface is assumed. For security best practice, the server should not be located on the outside or a public interface.

    Add a note hereBy default, N2H2 uses TCP/UDP port 4005 to filter information exchanges. You can specify a nondefault port number with the port keyword.

    Add a note hereYou can repeat this command to define up to 16 servers using the same filtering software. The firewall waits until a timeout period of seconds expires (the default is 5 seconds) if a filtering server does not respond. In that case, the same request is sent to the next server configured.

    Add a note hereTCP connections are used by default for both N2H2 and Websense servers. You can use either tcp or udp, depending on your requirements. Websense also allows a software version to be specified: 1 (using TCP or UDP) or 4 (using UDP only).

    Add a note hereIn ASA and FWSM, you can add connections num_conns after the tcp keyword. This limits the number of simultaneous TCP connections the firewall can open to the content filter server to num_conns (1 to 100; the default is 5).

  2. Add a note hereDefine a filtering policy:

    Add a note hereFirewall(config)# filter url [http | port[-port]] local_ip local_mask
    foreign_ip foreign_mask [allow] [proxy-block] [longurl-truncate |
    longurl-deny] [cgi-truncate]

    Add a note here You can define one or more broad filtering policies with this command and then make specific exceptions in the next step. Web traffic is defined as http (port 80), port (a single port number), or port-port, a range of ports.

    Add a note hereYou can provide the local (source) and foreign (destination) IP addresses and subnet masks. When web clients using local addresses send HTTP requests to web servers with foreign addresses, those requests are subject to filtering. In most cases, you can define the policy to use any local address and any foreign address. To do this, specify the local and foreign values as 0s (0 0 0 0).

    Add a note hereFor example, you could use the following command to filter the content of HTTP connections from inside hosts on the subnet destined for any outside address. Here, the “any” destination address is given as 0 0:

    Add a note hereFirewall(config)# filter url http 0 0

    Add a note hereBy default, if none of the filtering servers is available, the HTTP requests are dropped. This assumes that the filtering policies must be strictly enforced, requiring filtering servers to make decisions at all times. If this is too restrictive for your environment, you can add the allow keyword so that HTTP requests are allowed by the firewall if no filtering servers respond.

    Add a note hereTo prevent web clients from using an HTTP proxy server to relay HTTP requests, add the proxy-block keyword.

    Add a note hereYou can also define how the firewall reacts when very long URLs (longer than the URL buffer defined in Step 7) are used in HTTP requests. The longurl-truncate keyword sends only the source address or host name to the filtering server. The longurl-deny keyword causes the firewall to reject the HTTP request directly, without consulting the filtering server. In the case of CGI scripts, the cgi-truncate keyword causes CGI scripts to be sent to the filtering server as regular URLs. In other words, the CGI portion of the original URL is removed from the filtering server’s decision process.

  3. Add a note here(Websense only) Define a filtering policy for HTTPS:

    Add a note hereFirewall(config)# filter https dest-port local_ip local_mask foreign_ip
    foreign_mask [allow]

    Add a note hereYou can also allow HTTPS traffic to be filtered by a Websense server. Identify the HTTPS port as dest-port (usually port 443). Connections that are subject to filtering have clients using local (source) addresses defined by local_ip and local_mask and web servers using foreign (destination) addresses defined by foreign_ip and foreign_mask.

    Add a note hereAdd the allow keyword if you want the firewall to go ahead and allow connections when all the Websense servers are unresponsive. Otherwise, HTTPS connections are dropped if they are not explicitly allowed by a filtering server.

  4. Add a note here(Websense only) Define a filtering policy for FTP:

    Add a note hereFirewall(config)# filter ftp dest-port local_ip local_mask foreign_ip
    foreign_mask [allow] [interact-block]

    Add a note here If you have a Websense server, you can filter FTP connections based on GET commands. The FTP port is given as dest-port (usually port 21).

    Add a note hereAdd the allow keyword if you want the firewall to allow FTP connections when all the Websense servers are unresponsive.

    Add a note hereThe interact-block keyword causes connections coming from interactive FTP clients to be rejected. In an interactive FTP client, a user can initiate the connection and then change directories at will. When files are requested from the FTP server, the full path name is not sent in the request. The filenames are relative to the current directory path, so the filtering server cannot correctly determine if the user is requesting something that should be denied.

    Add a note hereFor example, you could use the following command to require Websense approval for all FTP GET commands initiated through the firewall. Interactive FTP clients are blocked:

    Add a note hereFirewall(config)# filter ftp 21 0 0 0 0 allow interact-block
  5. Add a note hereMake exceptions to the filtering policy:

    Add a note hereFirewall(config)# filter {url | https | ftp} except local_ip local_mask
    foreign_ip foreign_mask

    Add a note hereYou might have some web clients, users, or automated processes that need to send different types of requests without a filtering server’s inspection or intervention. You can define exceptions to the overall filtering policy by giving the protocol (url, https, or ftp), as well as the local (source) and foreign (destination) addresses and subnet masks.

    Add a note hereClients using a matching local address are allowed to complete a transaction with a server using a matching foreign address. You can use 0 to indicate an “any” or wildcard-matching condition for any of the address and mask values.

    Add a note hereFor example, inside host and hosts on the entire subnet should be exempt from HTTP (URL) filtering. Inside host also should be exempt from FTP filtering. You could use the following commands to accomplish this:

    Add a note hereFirewall(config)# filter url except 0 0
    Firewall(config)# filter url except 0 0
    Firewall(config)# filter ftp except 0 0
  6. Add a note here(Optional) Use an HTTP response buffer to return web content faster:

    Add a note hereFirewall(config)# url-block block block_buffer_limit

    Add a note hereWhen a web client requests web content from a foreign site, the firewall relays the request toward the website and sends a request to the filtering server—all in parallel. By default, if the web server responds before the filtering server, the content is dropped at the firewall. If the filtering server responds first with its permission data, the web content is allowed through when it arrives.

    Add a note hereYou can use an HTTP response buffer in the firewall to store web content until the filtering server has time to respond. As soon as the server approves the URL for the web client, the buffered contents are read and relayed to the client.

    Add a note here The HTTP response buffer can be enabled to store up to block_buffer_limit (0 to 128) 1550-byte blocks in memory.

  7. Add a note here(Optional; Websense only) Adjust the maximum acceptable URL length.

    1. Add a note hereBuffer URLs before sending Websense requests:

      Add a note hereFirewall(config)# url-block url-mempool memory_pool_size

      Add a note hereBy default, a firewall accepts URLs that are up to 1159 bytes long before sending a request to either Websense or N2H2. You can adjust the URL buffer so that several large URLs can be gathered and sent to a Websense server. The URL buffer limit can be set to memory_pool_size (2 to 10240 kilobytes).

    2. Add a note hereSet the maximum acceptable URL length:

      Add a note hereFirewall(config)# url-block url-size long_url_size

      Add a note hereTo allow URLs longer than 1159 bytes to be sent to a Websense server, set the URL length to long_url_size (2, 3, or 4 kilobytes). You need to adjust this limit only if you have cases in which very long URLs (greater than 1159 bytes) are being rejected.

  8. Add a note here(Optional) Use a cache to store filtering permissions:

    Add a note hereFirewall(config)# url-cache {dst | src_dst} kbytes

    Add a note hereAs a firewall sends requests to a filtering server, it can also cache the results that are returned. For subsequent requests for the same web client and target website, the firewall can quickly retrieve the cached permissions rather than waiting for the filtering server to respond again.

    Add a note hereBy default, the URL cache is disabled. The firewall sends each request to the filtering server and waits for each response before passing the return web content.

    Add a note hereYou can use the dst keyword to cache permission results based on the URL destination address only. If every web client behind the firewall shares the same policy on the filtering server, there is no need to cache the source information too. If web clients have different policies on the filtering server, you should use the src_dst keyword to gather source and destination information in the cache.

    Add a note hereYou can also set the size of the URL cache to kbytes (1 to 128 kilobytes).


    Add a note hereDuring normal requests to the filtering server, the server keeps a record of user activity in its accounting logs. When a URL cache is used (except with Websense version 1), these logs can still be collected, because the firewall still sends each request to the server, even though it might have a matching entry in its cache. The filtering requests and cache lookups happen in parallel so that a cache hit produces a quick permission result. In this case, any reply from the server is simply dropped. If an entry is not in the cache, no time is wasted, because the filtering server will have already sent a reply.

    Add a note here You can monitor the status of the URL cache with the show url-cache statistics command. If the cache is performing efficiently, you should see a large percentage of hits in relation to the number of lookups.

    Add a note hereFor example, the following output shows that 432 URL lookups occurred; 396 of those resulted in a cache hit, where the result was already in the cache. This represents a high hit percentage, indicating that the cache is doing its job.

    Add a note hereFirewall# show url-cache statistics
    URL Filter Cache Stats
    Size : 128KB
    Entries : 219
    In Use : 105
    Lookups : 432
    Hits : 396
  9. Add a note here(Optional) Filter ActiveX content:

    Add a note hereFirewall(config)# filter activex {port[-port] | except}local_ip local_mask
    foreign_ip foreign_mask

    Add a note hereActiveX objects that are found on connections using destination port number port (or a range of ports port-port) are subject to being blocked by the firewall. The connections must be initiated by clients using matching local (source) addresses toward servers using matching foreign (destination) addresses. You can substitute 0s as a wildcard “any” for any address or mask field.

    Add a note hereThe firewall blocks ActiveX objects by looking for the HTML and tags. The tags are commented out before the content is forwarded to the client. The client cannot interpret the result as a valid ActiveX object. Nested objects are also blocked, because the first-level objects are commented out.

    Add a note hereYou can also use the except keyword to define address pairs where ActiveX filtering should not be performed.

  10. Add a note here(Optional) Filter Java content:

    Add a note hereFirewall(config)# filter java {port[-port] | except} local_ip mask
    foreign_ip mask

    Add a note hereJava applets that are found on connections using destination port number port (or a range of ports port-port) are subject to being blocked by the firewall. The connections must be initiated by clients using matching local (source) addresses toward servers using matching foreign (destination) addresses. You can substitute 0s as a wildcard “any” for any address or mask field.

    Add a note hereThe firewall blocks Java objects by looking for the HTML and tags. The tags are commented out before the content is forwarded to the client.

    Add a note hereYou can also use the except keyword to define address pairs where Java filtering should not be performed.


Add a note here You can monitor the performance of the URL buffer with the show url-block block stats command, as in the following example:

Add a note hereFirewall# show url-block block stats
URL Pending Packet Buffer Stats with max block 0
Cumulative number of packets held: 0
Maximum number of packets held (per URL): 0
Current number of packets held (global): 0
Packets dropped due to
exceeding url-block buffer limit: 0
HTTP server retransmission: 0
Number of packets released back to client: 0

Add a note hereIf you are using content-filtering servers, you can monitor their activity with the show url-server stats (PIX 6.3) or show url-server statistics (ASA and FWSM) command. In the following example, two Websense servers are used. A total of 447,869 URL requests have been sent to the servers, 394,410 of those were permitted, and 53,459 of them were denied because of the local content policies configured on the servers. Notice that one server is up, but the other is unresponsive.

Add a note hereFirewall# show url-server stats
URL Server Statistics:
Vendor websense
URLs total/allowed/denied 447869/394410/53459
URL Server Status:
------------------ UP DOWN

Add a note hereYou can also get an idea about the rate at which the firewall is sending URL requests to the content-filtering servers. Use the show perfmon command, and look for the URL Access row to see how many new URLs are being requested per second. The URL Server Req row shows the rate at which the requests are being sent to the content-filtering servers.

Add a note hereFirewall# show perfmon
PERFMON STATS: Current Average
Xlates 39/s 0/s
Connections 110/s 1/s
TCP Conns 80/s 0/s
UDP Conns 29/s 0/s
URL Access 57/s 0/s
URL Server Req 50/s 0/s
TCP Fixup 5033/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 2293/s 0/s
FTP Fixup 4/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s

Add a note here Content-Filtering Examples

Add a note hereA corporation has two Websense servers located on the firewall’s DMZ interface at and The firewall intercepts every HTTP request and relays them to the Websense servers. If neither server responds within the default 5-second period (for each server), the firewall allows the request.

Add a note hereThe only exceptions to this policy are with all hosts on the subnet, which are allowed to request any URL with no Websense intervention. Inside host is allowed to request any URL as well. Inside host is allowed to request URLs from outside server without Websense intervention. If the inside host requests URLs from any other address, Websense is consulted.

Add a note hereAll HTTPS and FTP requests are subject to the local Websense server policies.

Add a note hereTo improve filtering server response, 128 blocks of memory are dedicated to buffering web content that arrives before the filtering server can respond. A cache is also configured so that repeated URL requests can be serviced immediately without waiting for further filtering server replies. This cache uses 128 KB of memory and is based on the source and destination address combinations.

Add a note hereThe configuration for this example is as follows:

Add a note hereFirewall(config)# url-server (dmz) vendor websense host protocol TCP
version 4

Firewall(config)# url-server (dmz) vendor websense host protocol TCP
version 4

Firewall(config)# filter url http 0 0 0 0 allow proxy-block
Firewall(config)# filter url except 0 0
Firewall(config)# filter url except 0 0
Firewall(config)# filter url except

Firewall(config)# filter https 443 0 0 0 0 allow
Firewall(config)# filter ftp 21 0 0 0 0 allow
Firewall(config)# url-block block 128
Firewall(config)# url-cache src_dst 128

Add a note here Using a Web Cache for Better HTTP Performance

Add a note hereBeginning with ASA 7.2(1), an ASA platform can redirect inbound HTTP connections to an external web cache server if the web page has been accessed before. The Web Cache Communication Protocol version 2 (WCCPv2) is used to identify a request for a previously viewed web page and to redirect the client to the web cache server.

Add a note hereIf a connection is redirected to the cache server, it bypasses some of the normal inspection processes such as URL filtering, TCP intercept, Intrusion Prevention System (IPS), and so on.

Add a note here The client and the web cache server must be located on the same firewall interface for the WCCP redirect feature to work. As soon as the firewall redirects the client from the requested destination to the web cache server, the client can then communicate with the web cache server directly.

Add a note hereYou can use the following steps to configure WCCP redirect:

  1. Add a note hereEnable WCCP:

    Add a note hereFirewall(config)# wccp {web-cache | service_number} [redirect-list access-list]
    [group-list access-list] [password password]

    Add a note hereWCCP can participate in the web cache service or in service group number service_number (0 to 255). You can repeat this command to identify more than one service number. To control the traffic that is redirected to the service group, configure an access list that permits traffic to be redirected. Then apply the access list here with the redirect-list keyword.

    Add a note hereYou can limit the web caches that can participate in the service group with the group-list keyword. The access list should permit cache IP addresses that are allowed to participate.

    Add a note hereIf your service group uses MD5 authentication, you can use the password keyword to define a password string of up to seven characters.

  2. Add a note hereEnable WCCP redirection on an interface:

    Add a note hereFirewall(config)# wccp interface interface_name service redirect in

7-2: Defining Security Policies in a Modular Policy Framework

Add a note hereTraditionally, Cisco firewalls have supported security policies that are applied to all traffic passing through them. Although that does offer a common level of security to all the protected networks and hosts, it does not offer a way to fine-tune or vary the policies according to differing requirements.

Add a note hereBeginning with ASA 7.0(1) and FWSM 3.1(1), a Cisco firewall can be configured to provide security policies that are tailored for various traffic types, quality of service (QoS), or inspection requirements. This is known as the modular policy framework (MPF).

Add a note hereWith the MPF feature, you can define policies to identify a specific set of traffic and take any of the following actions on it:

  • Add a note here Apply application inspection engines— You can tailor the stateful inspection process that is performed on a very specific type of traffic. Different sets of traffic can be inspected differently.

  • Add a note here Set connection limits— The firewall can control the volume of UDP and TCP connections that are initiated for matched traffic.

  • Add a note here Adjust TCP parameters— Values carried in the TCP header can be inspected, changed, or normalized in very specific ways. This can be done differently for each set of traffic identified.

  • Add a note here Limit management traffic— Connections that terminate on the firewall itself can be limited, just like other types of connections that pass through the firewall. Configuring limits on management traffic can help prevent unnecessary strain on the firewall CPU.

  • Add a note here Send traffic to a Security Services Module (SSM)— The ASA platform can divert specific traffic to an embedded Advanced Inspection and Prevention (AIP) module or an embedded Content Security and Control (CSC) module.

  • Add a note here Limit the bandwidth used— You can tailor traffic policers to limit the bandwidth used by predefined sets of traffic. For example, mission-critical applications might be allowed to use any available bandwidth, whereas peer-to-peer file-sharing applications are limited to a small portion of interface bandwidth.

  • Add a note here Provide priority handling— Specific types of traffic can be given priority over other types as packets are sent out a firewall interface. This allows time-critical applications to receive premium service as those packets are inspected and passed through the firewall.

Add a note hereAs shown in Figure 7-1, you can configure security policies in a modular fashion. Traffic is classified according to an arbitrary type, and a policy can take some arbitrary action on it. The policy is actually carried out on a firewall interface or globally on all interfaces. This whole process is configured in scalable pieces, according to the following model:

  • Add a note here Class map— A template that uses a match command to classify or identify types of traffic.

  • Add a note here Policy map— A list of policies, each referencing a class map to match or identify traffic and an action to take on that traffic.

  • Add a note here Service policy— A policy map is applied to one or all firewall interfaces, defining an entire set of match/action policies.

Click to collapse
Add a note hereFigure 7-1: The Modular Policy Framework for Applying Security Policies

Add a note hereThe Modular Policy Framework is a bit of a double-edged sword. On one hand, it is a very versatile means of defining robust security policies. On the other hand, it is so versatile that it can be confusing to configure.

Add a note hereAs you begin to configure your security policies, you should outline the structure of the policy map as a list of the individual policies. Each policy needs a class map to identify the traffic and an action to perform on the traffic.

Add a note hereIn a sense, you have to work backward first, because you need to configure class maps to identify traffic before the policy map can reference those class maps.

Add a note here Classifying Layers 3 and 4 Traffic

Add a note hereAs traffic moves through the firewall, it can be identified or classified according to the matching conditions defined in a class map. You can configure multiple class maps to identify several different classes of traffic, if needed. Then a different policy can be applied to each traffic class.

Add a note hereThe following sections discuss how you can configure a class map for identifying a specific type of traffic according to parameters found in Layers 3 and 4, or the IP and UDP or TCP packet headers, respectively.


Add a note here A class map can also match against other conditions that are based on parameters further inside an IP, UDP, or TCP packet. This type of class map is used in conjunction with application layer inspection policies and is discussed in Section “7-3: Application Inspection.”

Add a note hereThe class map is defined and described by the following configuration commands. In addition, you add more commands to identify specific traffic, as described in the sections beginning with “Match Against...” that follow. Finally, the class map is used to identify traffic as part of the policy map configuration in the section titled “Defining a Layer 3/4 Policy.”

  1. Add a note hereDefine the class map:

    Add a note hereFirewall(config)# class-map class_map_name

    Add a note hereThe class map is named class_map_name (an arbitrary string of up to 40 characters).

    Add a note here You can define only one matching condition in a class map. The only exceptions are match tunnel-group and match default-inspection-traffic, which are described in further detail in the “Match Against a VPN Tunnel Group” and “Match Default Traffic” sections, respectively.

    Add a note hereAfter creating a class map, you can change its name without deleting it and reconfiguring it. To do this, use the following command while in class map configuration mode:

    Add a note hereFirewall(config-cmap)# rename name
  2. Add a note here(Optional) Add a description to the class map:

    Add a note hereFirewall(config-cmap)# description text

    Add a note hereYou can add a string of descriptive text (up to 200 characters) to a class map. This description can help firewall administrators identify or understand the class map’s purpose.

Match Against a Destination Port Number

Add a note hereYou can set up a class map to examine the destination TCP or UDP port in IP packets moving into or out of a firewall interface. Use the following command to set up the matching condition:

Add a note hereFirewall(config-cmap)# match port {tcp | udp} {eq port | range start end}

Add a note hereThe matching protocol is either tcp or udp. You can define an exact match with the eq keyword as port, either a supported keyword or a decimal number 1 through 65535. Otherwise, you can use the range keyword to define a match against a range of port values, from start to end.

Add a note hereFor example, the following commands define class maps that match HTTP and SIP traffic, respectively:

Add a note hereFirewall(config)# class-map class_http
Firewall(config-cmap)# match port tcp eq http
Firewall(config-cmap)# exit
Firewall(config)# class-map class_sip
Firewall(config-cmap)# match port udp eq sip
Firewall(config-cmap)# exit

Match Against an Access List

Add a note hereYou can use the access list to match several different protocols, ports, or address pairs. This is a convenient way to classify disparate types of traffic into a single class that ultimately has an action applied. The following steps show how to configure and then apply an access list in a class map.

  1. Add a note hereDefine the access list:

    Add a note hereFirewall(config)# access-list acl_id [line line-num] [extended]
    {permit | deny} {protocol | object-group protocol_obj_group}
    {source_addr source_mask | object-group network_obj_group}
    [operator sport | object-group service_obj_group]
    {destination_addr destination_mask | object-group network_obj_group}
    [operator dport | object-group service_obj_group]
    [time-range name]

    Add a note hereAny traffic that matches a permit statement in the access list becomes matched traffic in the class map. You can have deny statements in the access list, but they never result in a match for the class map.

    Add a note hereSection “6-3: Controlling Access with Access Lists” in Chapter 6, “Controlling Access Through the Firewall,” covers access list configuration in detail.


    Add a note hereIf you need to match against source and/or destination addresses in the access list, you need to consider any address translations that are occurring. Specify IP addresses with the values they will have after address translation. In other words, the match operation in a class map is handled after any relevant address translations.

    Add a note hereFor example, suppose a static NAT entry is configured so that inside host appears as on the outside. If an access list is used to match inbound traffic to that host, the inside or local address (after translation) should be specified, as demonstrated here:

    Add a note hereFirewall(config)# static (inside,outside) 192.
    168.198.17 netmask 0 0
    Firewall(config)# access-list test extended permit tcp any host eq http
    Firewall(config)# class-map test_class
    Firewall(config-cmap)# match access-list test
  2. Add a note hereApply the access list as the matching condition:

    Add a note hereFirewall(config-cmap)# match access-list acl_name

    Add a note hereThe access list named acl_name is used as a template to match traffic. Only one access list can be defined for matching in a class map.

    Add a note hereFor example, the following commands enable a single class map and match command to match several different types of traffic:

    Add a note hereFirewall(config)# access-list MyTraffic extended permit tcp any
    any eq http
    Firewall(config)# access-list MyTraffic extended permit tcp any
    any eq https
    Firewall(config)# access-list MyTraffic extended permit tcp any
    any eq 8080
    Firewall(config)# class-map MyClass
    Firewall(config-cmap)# match access-list MyTraffic

Match Against QoS Parameters

Add a note hereQuality of service (QoS) is a device’s capability to forward packets in an efficient, predictable, and reliable manner. Some types of traffic, such as voice and video applications, require data to be delivered without delay and without jitter (variations in delay).

Add a note hereIn releases before ASA 7.0(1), a firewall could handle traffic only on a “best-effort” basis, in which packets were inspected and forwarded in the order in which they were received. Beginning with ASA 7.0(1), a firewall can classify packets and place them in a priority queue. This interface queue is serviced ahead of any other queue so that any priority packets are sent first.

Add a note hereYou can use class maps to match against two types of QoS parameters: IP Precedence and Differentiated Services Code Point (DSCP). These values are included in every IP packet header. They indicate the QoS level that is needed for each packet’s delivery. IP Precedence is included in the type of service (ToS) byte.

Add a note hereToS and DSCP are two different interpretations of the same 1-byte field in the IP header, as shown in Figure 7-2. Specifically, IP Precedence is a 3-bit value (P2 to P0), and DSCP is a 6-bit value (DS5 to DS0).

Image from book
Add a note hereFigure 7-2: ToS and DSCP Byte Formats

Add a note hereThe DSCP value is broken down into the following components:

  • Add a note here Class selector (3 bits)— Classifies packets into eight classes: class 0 (best effort, the default), classes 1 through 4 (assured forwarding [AF]), class 5 (expedited forwarding [EF]), and classes 6 and 7 (used for network control traffic).

  • Add a note here Drop precedence (3 bits)— Within a class, packets are marked according to the tolerance for being dropped: High (3), Medium (2), and Low (1). Packets with a lower drop precedence need better service.

Add a note hereWhen DSCP values are written as a codepoint name, the format is class (AF or EF), followed by the class level (1 to 4), followed by the drop precedence. For example, DSCP AF21 is assured forwarding class 2, drop precedence 1. The best-service value is EF, which has no class or drop precedence.

Add a note here Table 7-1 compares the IP Precedence and DSCP fields with their possible values. You can use this table as a quick reference when defining or interpreting values from either field.

Add a note here Table 7-1: Mapping of IP Precedence and DSCP Values
Open table as spreadsheet

Add a note hereIP Precedence (3 Bits)

Add a note hereDSCP (6 Bits)

Add a note here Name

Add a note here Value

Add a note here Bits

Add a note here Per-Hop Behavior

Add a note here Class Selector

Add a note here Drop Precedence

Add a note here Codepoint Name

Add a note here DSCP Bits (Decimal)

Add a note hereRoutine

Add a note here0

Add a note here000

Add a note hereDefault

Add a note here

Add a note here

Add a note hereDefault

Add a note here000 000 (0)

Add a note herePriority

Add a note here1

Add a note here001

Add a note hereAF

Add a note here1

Add a note here1: Low

Add a note here2: Medium

Add a note here3: High

Add a note hereAF11

Add a note hereAF12

Add a note hereAF13

Add a note here001 010 (10)

Add a note here001 100 (12)

Add a note here001 110 (14)

Add a note hereImmediate

Add a note here2

Add a note here010

Add a note hereAF

Add a note here2

Add a note here1: Low

Add a note here2: Medium

Add a note here3: High

Add a note hereAF21

Add a note hereAF22

Add a note hereAF23

Add a note here010 010 (18)

Add a note here010 100 (20)

Add a note here010 110 (22)

Add a note hereFlash

Add a note here3

Add a note here011

Add a note hereAF

Add a note here3

Add a note here1: Low

Add a note here2: Medium

Add a note here3: High

Add a note hereAF31

Add a note hereAF32

Add a note hereAF33

Add a note here011 010 (26)

Add a note here011 100 (28)

Add a note here011 110 (30)

Add a note hereFlash Override

Add a note here4

Add a note here100

Add a note hereAF

Add a note here4

Add a note here1: Low

Add a note here2: Medium

Add a note here3: High

Add a note hereAF41

Add a note hereAF42

Add a note hereAF43

Add a note here100 010 (34)

Add a note here100 100 (36)

Add a note here100 110 (46)[1]

Add a note hereCritical[1]

Add a note here5

Add a note here101

Add a note hereEF

Add a note here

Add a note here

Add a note hereEF

Add a note here101 110 (46)[1]

Add a note hereInternetwork Control

Add a note here6

Add a note here110

Add a note here

Add a note here

Add a note here

Add a note here

Add a note here(48 to 55)

Add a note hereNetwork Control

Add a note here7

Add a note here111

Add a note here

Add a note here

Add a note here

Add a note here

Add a note here(56 to 63)

Add a note here [1]IP Precedence value 5 (DSCP EF) corresponds to the range of DSCP bits 101000 through 101111, or 40 through 47. However, only the value 101110 or 46 is commonly used and is given the EF designation.

Add a note hereYou can use the following steps to configure a QoS parameter to match against. You can use either IP Precedence or DSCP values.

  1. Add a note here(Optional) Match against the IP Precedence value:

    Add a note hereFirewall(config-cmap)# match precedence value1 [value2 [value3

    Add a note here The IP precedence field in the ToS byte of the IP header is examined in each packet going into or out of a firewall interface. You can specify up to four different precedence values to match against. These can be given as any of the following decimal numbers or keywords: routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), or network (7).

    Add a note hereAs a rule of thumb, a higher precedence means a better QoS should be used. IP precedence is usually set by the originating host, or it can be set or overridden by a router along the traffic path. In other words, before you can depend on matching an IP precedence value, you should be confident that some other device is setting the values properly.

    Add a note hereFor example, the following commands configure a class map that matches against the critical and flash-override values:

    Add a note hereFirewall(config)# class-map high_precedence
    Firewall(config-cmap)# match precedence 4 5
    Firewall(config-cmap)# exit
  2. Add a note here(Optional) Match against the DSCP value:

    Add a note hereFirewall(config-cmap)# match dscp value1 [value2 ...[value8]]

    Add a note hereThe DSCP value in the IP header is examined in each packet going into or out of a firewall interface. You can specify up to eight different DSCP values to match against. These can be given as a decimal number (0 to 63) or as one of the following keywords: default (0), cs1 (8), af11 (10), af12 (12), af13 (14), cs2 (16), af21 (18), af22 (20), af23 (22), cs3 (24), af31 (26), af32 (28), af33 (30), cs4 (32), af41 (34), af42 (36), af43 (38), cs5 (40), ef (46), cs6 (48), or cs7 (56).

    Add a note hereDSCP is usually set by the originating host, or it can be set or overridden by a router along the traffic path. In other words, before you can depend on matching a certain DSCP value, you should be confident that some other device is setting the values properly.

    Add a note hereFor example, the following commands define class maps that match against the EF DSCP value and all AF4 values:

    Add a note hereFirewall(config)# class-map dscp_ef
    Firewall(config-cmap)# match dscp ef
    Firewall(config-cmap)# exit
    Firewall(config)# class-map dscp_af4
    Firewall(config-cmap)# match dscp af41 af42 af43
    Firewall(config-cmap)# exit

Match Against a Range of Real-Time Transport Protocol (RTP) Port Numbers

Add a note hereRTP is most often used for audio or video streams, where data is sent in one direction using a range of UDP port numbers. You can match RTP by defining the port range beginning at starting_port (2000 to 65535) and continuing for range (0 to 16383) ports with the following configuration command:

Add a note hereFirewall(config-cmap)# match rtp starting_port range

Add a note hereFor example, to match against RTP ports 2000 through 2100, you could use the following commands:

Add a note hereFirewall(config)# class-map rtp
Firewall(config-cmap)# match rtp 2000 100
Firewall(config-cmap)# exit

Match Against a VPN Tunnel Group

Add a note hereIf the firewall is configured to support and terminate Virtual Private Network (VPN) tunnels, you can match the traffic passing through a tunnel belonging to a specific tunnel group name. In this way, firewall service policies can be applied on a per-tunnel group basis:

Add a note hereFirewall(config-cmap)# match tunnel-group name

Add a note hereYou can also add a second match condition to classify each traffic flow (connections using a common destination address) within a tunnel group:

Add a note hereFirewall(config-cmap)# match flow ip destination-address

Add a note hereThis is most often used in conjunction with the police action in a policy map so that traffic flows to unique destination addresses within a tunnel group can be policed to a certain data rate.

Match All Traffic

Add a note hereAll packets passing into or out of a firewall interface can be matched and identified with a class map. This is a handy way to subject all types of traffic to an action in a policy map. Use the following configuration command to match any traffic:

Add a note hereFirewall(config-cmap)# match any

Match Default Traffic

Add a note hereTo perform the default application inspections, a firewall must first match the various traffic types. This command sets up this default arrangement by matching against predefined protocols and port numbers for the respective applications:

Add a note hereFirewall(config-cmap)# match default-inspection-traffic

Add a note hereThis command is configured in the inspection_default class map as part of the default firewall configuration. See the section “Default Policy Definitions” for more details.

Add a note here Classifying Management Traffic

Add a note here Beginning with ASA 8.0(1), you can define a special “mananagement” class map type to match specific traffic that terminates on the firewall itself. For example, you might want to match against HTTP traffic so that you can limit the number of ASDM connections users can attempt to start.

Add a note hereBy classifying management traffic as a special case, you can configure specific policies to help prevent denial-of-service attacks on the firewall itself. Otherwise, once you enable the firewall’s HTTP server to offer the ASDM management interface, malicious users might also make use of the HTTP service and perhaps cripple the firewall’s CPU.

Add a note hereYou can define a management class map with the following configuration command:

Add a note hereFirewall(config)# class-map type management mgmt_cmap_name

Add a note hereThen define matching conditions that will identify the specific management traffic. You can match against an access list with the following commands:

Add a note hereFirewall(config-cmap)# match access-list acl_name

Add a note hereA previously configured access list will permit the management traffic so that it is matched here. The access list does not actually permit or deny the management traffic from reaching or being interpreted by the firewall—it is only used to match the management traffic for further handling.

Add a note hereYou can also match against the TCP or UDP port numbers used in the management traffic with the following command:

Add a note hereFirewall(config-cmap)# match port {tcp | udp} {eq port_number | range low high}

Add a note hereThe protocol is identified as tcp or udp. Use the eq keyword to give a specific port number, or the range keyword to give a range of port numbers (low to high). Port numbers can be any number 1-65535. You cannot use any other keywords that represent port numbers, such as www, ssh, and so on. Also, the port numbers represent the destination port for the management service that is running on the firewall.

Add a note hereYou can repeat the match commands to define other management traffic that should be classified.

Add a note hereOnce the management class map has been configured, you can reference it with the class command, as you would a normal Layer 3/4 class map. The only difference is that management traffic terminating on the firewall itself will be classified and handled as a unique policy, separate from any other regular traffic policy.

Add a note here Defining a Layer 3/4 Policy

Add a note hereAfter Layer 3 or 4 traffic has been identified or classified, the firewall can take some action on it. You can define a policy map that contains one or more class maps, followed by an action for each. The entire policy map is then applied to one or all firewall interfaces, where the classifications and actions are carried out.

Add a note here You can follow these steps to configure a policy map and apply it to a firewall interface:

  1. Add a note hereDefine a policy map:

    Add a note hereFirewall(config)# policy-map policy_map_name

    Add a note hereThe policy map is named policy_map_name (an arbitrary string of up to 40 characters).

    Add a note hereAs soon as you create a policy map, you can change its name without deleting it and reconfiguring it. To do this, use the following command while in policy map configuration mode:

    Add a note hereFirewall(config-pmap)# rename name
  2. Add a note here(Optional) Add a description to the policy map:

    Add a note hereFirewall(config-pmap)# description text

    Add a note hereYou can add a string of descriptive text (up to 200 characters) to a policy map that can help firewall administrators identify or understand the policy map’s purpose.

  3. Add a note hereMatch traffic with a class map:

    Add a note hereFirewall(config-pmap)# class {class_map_name | class-default}

    Add a note hereYou can specify the class map named class_map_name to identify a specific type of traffic. This can be a Layer 3/4 class map configured with the class-map cmap_name command, or a management class map configured with the class-map type management cmap_name command.

    Add a note hereYou also can use the class-default keyword to use the default class map. This is a handy way to identify all the traffic that has not been classified in any other class map. The class-default class map is automatically configured in a firewall by default, and it contains only the match any command. Therefore, this class map should be the last one defined in a policy.

    Add a note hereFor example, a class map named MyClass is configured and used in a policy map in the following commands:

    Add a note hereFirewall(config)# class-map MyClass
    Firewall(config-cmap)# match any
    Firewall(config-cmap)# exit
    Firewall(config)# policy-map MyPolicy
    Firewall(config-pmap)# class MyClass
  4. Add a note hereTake an action on the matched traffic.

    Add a note hereAfter class maps are defined in a policy map, the policy map is applied to a firewall interface as a service policy, independent of traffic direction. In other words, traffic can be matched and acted on in a bidirectional manner, whether it is inbound or outbound. Some restrictions do apply, however.

    Add a note here Table 7-2 lists each policy map action according to its supported traffic direction. Policing and Low-Latency Queuing (LLQ) are typically techniques performed on packets that are leaving the firewall on an interface. Therefore, those two actions are unidirectional, in the outbound direction only.

    Add a note here Table 7-2: Policy Map Actions per Supported Traffic Direction
    Open table as spreadsheet

    Add a note hereBidirectional Action

    Add a note hereUnidirectional Action

    Add a note hereApplication inspection (inspect)

    Add a note herePolicers (police)

    Add a note hereConnection options (set connection)

    Add a note hereLow-Latency Queuing (priority)

    Add a note hereIntrusion Prevention System module (ips)

    Add a note here

    Add a note hereContent Security and Control module (csc)

    Add a note here

    Add a note hereYou can configure one or more of the following actions to take on the matched traffic:

    • Add a note hereInspect the traffic with an application inspection engine

    • Add a note hereSet connection limits

    • Add a note hereAdjust TCP options

    • Add a note hereInspect the traffic with an Intrusion Prevention System (IPS) module (ASA platform only)

    • Add a note hereInspect the traffic with a Content Security and Control (CSC) module (ASA platform only)

    • Add a note herePolice the traffic to a rate limit

    • Add a note hereUse LLQ for priority handling

    Add a note hereThese policy actions are discussed in the following sections.

  5. Add a note hereRepeat Steps 3 and 4 to define other policies.

  6. Add a note hereApply the policy map as a service policy:

    Add a note hereFirewall(config)# service-policy policy_map_name {global | interface if_name}

    Add a note hereAfter you have finished adding class commands and their corresponding actions, you can apply the completed policy map so that it can be used.

    Add a note hereThe policy map named policy_map_name is applied as a service policy to one or more firewall interfaces. You can specify a single interface with the interface keyword and the interface name if_name (outside, for example). Only one policy map can be applied to a service policy, and only one service policy can be applied to an interface.

    Add a note hereYou can also use the global keyword to apply the service policy to all firewall interfaces simultaneously. You can configure only one global service policy. By default, only the global_policy policy map is applied globally.

Set Connection Limits on the Matched Traffic

Add a note here You can configure one or more actions within a policy map to limit various aspects of TCP connections, as discussed in the following tasks:

  • Add a note hereSet TCP connection timeouts:

    Add a note hereFWSM

    Add a note here

    Add a note here
    Firewall(config-pmap-c)# set connection timeout [embryonic {hh:mm:ss |
    0}] [half-closed {hh:mm:ss | 0}] [tcp {hh:mm:ss | 0}

    Add a note hereASA

    Add a note here

    Add a note here
    Firewall(config-pmap-c)# set connection timeout [embryonic {hh:mm:ss |
    0}] [half-closed {hh:mm:ss | 0}] [tcp {hh:mm:ss | 0} [dcd [retry_interval

    Open table as spreadsheet

    Add a note hereFor matched packets, you can adjust the TCP connection timeout limits and set them as the appropriate conn entries are dynamically created.

    Add a note hereRefer to Table 7-3 for each type of connection timeout and its associated keyword.

    Add a note here Table 7-3: TCP Connection Timeout Limit Options
    Open table as spreadsheet

    Add a note hereDescription

    Add a note hereKeyword for set connection timeout command

    Add a note hereTimeout values

    Add a note hereAutomatically close embryonic (not completely opened) connections after a timeout

    Add a note here

    Add a note here
    embryonic {hh:mm:ss | 0}

    Add a note hereDefault: 30 seconds

    Add a note hereMinimum: 5 seconds

    Add a note hereAutomatically close half-closed (partially closed, or incomplete FIN-FIN handshake) connections after a timeout

    Add a note here

    Add a note here
    half-closed {hh:mm:ss | 0}

    Add a note hereDefault: 10 minutes

    Add a note hereMinimum: 5 minutes

    Add a note hereAutomatically close TCP connections that have been idle after a timeout

    Add a note here

    Add a note here
    tcp {hh:mm:ss | 0}

    Add a note hereDefault: 1 hour

    Add a note hereMinimum: 5 minutes

    Add a note hereUse Dead Connection Detection (DCD) to probe for defunct idle connections

    Add a note here

    Add a note here
    dcd [retry_interval [max_retries]]

    Add a note here retry_interval = 15 seconds

    Add a note here max_retries = 5

    Add a note hereIn each case, the timeout value is set to hh:mm:ss (24-hour format) or 0 for unlimited time.

    Add a note hereWith the tcp keyword, the firewall identifies any TCP connection that has been idle for longer than the timeout value and automatically closes it. While this is a handy housekeeping function, it closes any TCP connection that has been idle more than a fixed amount of time.

    Add a note here Some TCP connections can remain idle for an extended period of time, but still be valid. For example, suppose the TCP idle timeout is set to 5 minutes. A Telnet session through the firewall to a host could very easily stay idle for more than 5 minutes, while the user answered a telephone call or got up to do something else. Closing idle, but valid, connections would become a nuisance to the end users.

    Add a note hereBeginning with ASA 7.2(1), you can add the dcd keyword in conjunction with the tcp timeout function. After a TCP connection has been idle for the tcp timeout duration, the firewall begins to send probes to the client and server. The probes stimulate the hosts to answer; if they both answer, the connection must still be valid and should not be closed for being idle.

    Add a note hereDCD probes are sent at retry_interval seconds. If no response is received, the probes are resent for max_retries times. If there still is no response at that point, the connection is presumed to be idle and is automatically closed.


    Add a note hereWhat sort of probes does a firewall send for DCD? It sends a minimum size packet with the ACK bit set, using the same IP addresses and TCP ports that the actual TCP connection uses. In this way, the client and server each think it is simply answering a TCP ACK sent by its peer. No data changes hands, other than basic acknowledgments.

  • Add a note hereSet connection volume limits:

    Add a note hereFWSM

    Add a note here

    Add a note here
    Firewall(config-pmap-c)# set connection [conn-max n] [random-sequence-
    number {enable | disable}]

    Add a note hereASA

    Add a note here

    Add a note here
    Firewall(config-pmap-c)# set connection [conn-max n] [embryonic-conn-
    max n] [per-client-embryonic-max n] [per-client-max n] [random-
    sequence-number {enable | disable}]
    Open table as spreadsheet

    Add a note hereBy default, an unlimited number of simultaneous UDP and TCP connections are allowed across an address translation. The set connection command can be used in a policy map to set connection limits on traffic to and from specific hosts.

    Add a note hereThe connection limits configured with set connection are very similar to the limits set in address translation commands such as static and nat. See “Handling Connections Through an Address Translation” in Section “6-2: Handling Connections Through an Address Translation” in Section “Routed Firewall Mode and Address Translation,” for more information.


    Add a note hereIf connection limits are configured in a policy map (set connection) and an address translation (static or nat), and a traffic flow applies to both conditions, the lower connection limit is enforced.

    Add a note here Refer to Table 7-4 for each type of connection limit and its associated keyword:

    Add a note here Table 7-4: Connection Limiting Options
    Open table as spreadsheet

    Add a note hereDescription

    Add a note hereKeyword for set connection command

    Add a note hereValues

    Add a note hereLimit the total simultaneous connections in use by all traffic matching the policy

    Add a note here

    Add a note here
    conn-max n

    Add a note hereDefault: 0 (unlimited)

    Add a note hereMaximum: 65535

    Add a note hereLimit the total number of embryonic connections opened for all traffic matching the policy

    Add a note here

    Add a note here
    embryonic-conn-max n

    Add a note hereDefault: 0 (unlimited)

    Add a note hereMaximum: 65535

    Add a note hereLimit the total number of embryonic connections opened on a per-client or host basis

    Add a note here

    Add a note here
    per-client-embryonic-max n

    Add a note hereDefault: 0 (unlimited)

    Add a note hereMaximum: 65535

    Add a note hereLimit the total number of simultaneous connections in use on a per-client or host basis

    Add a note here

    Add a note here
    per-client-max n

    Add a note hereDefault: 0 (unlimited)

    Add a note hereMaximum: 65535

    Add a note hereAssign a random initial sequence number (ISN) for each new TCP connection

    Add a note here

    Add a note here
    random-sequence-generator {enable | disable}

    Add a note hereDefault: enable

    Add a note hereWhen the maximum number of connections is reached, the firewall begins dropping any new connections. As soon as one of the embryonic connection limits is reached, the firewall begins intercepting new connections and acting as a proxy for the connection target.

    Add a note hereYou can also use the random-sequence-generator keyword to enable or disable randomization of the initial sequence number (ISN) when TCP connections are established.


Add a note hereYou can monitor the activity of set connection policy actions with the following command:

Add a note hereFirewall# show service-policy set connection

Add a note hereThe following example shows the connection volume limits and timeout values that have been configured in a service policy named policy-outbound:

Add a note hereFirewall# show service-policy set connection
Global policy:
Service-policy: global_default
Interface outside:
Service-policy: policy-outbound
Class-map: outbound
Set connection policy: conn-max 100 embryonic-conn-max 10
current embryonic conns 0, current conns 0, drop 0
Set connection timeout policy:
tcp 0:30:00
DCD: enabled, retry-interval 0:01:0, max-retries 5
DCD: client-probe 5, server-probe 5, conn-expiration 0

Adjust TCP Options for the Matched Traffic

Add a note hereYou can define a TCP map that acts as a template for modifying various options in the TCP header of matched packets. Use the following configuration steps to create and use a TCP map:

  1. Add a note hereDefine the TCP map:

    Add a note hereFirewall(config)# tcp-map tcp_map_name

    Add a note hereThe TCP map is given an arbitrary name tcp_map_name.

  2. Add a note hereUse one or more of the commands listed in Table 7-5 to specify actions to take on the TCP header.

    Add a note here Table 7-5: TCP Header Actions
    Open table as spreadsheet

    Add a note hereAction Description

    Add a note hereCommand Syntax

    Add a note hereVerifies that TCP retransmissions are consistent with the originals. Packets must arrive in sequential order.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# check-retransmission

    Add a note hereVerifies the TCP checksum and drops the packet if it fails.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# checksum-verification

    Add a note here Takes action (the default is drop) if a packet’s maximum segment size (MSS) exceeds the value set when the TCP connection began.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# exceed-mss {allow | drop}

    Add a note hereTakes action (the default is allow) on the reserved bits in the TCP header. This is a 3-bit field after the Data Offset field, which should always be cleared to 0.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# reserved-bits {allow | clear | drop}

    Add a note hereSYN packets are permitted to contain payload data, according to the TCP definition. By default, the firewall allows them. If end hosts cannot handle this properly, the firewall can drop those packets.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# syn-data {allow | drop}

    Add a note hereDrops packets that masquerade as retransmissions of prior packets that passed inspection but were dropped because of time-to-live (TTL) expiration. (This is enabled by default.)

    Add a note here

    Add a note hereFirewall(config-tcp-map)# ttl-evasion-protection

    Add a note hereTakes action (the default is clear) on the contents of the TCP URG (urgent) flag and pointer. URG can be used to request priority handling of a packet, but this is not well-defined.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# urgent-flag {allow | clear}

    Add a note hereTakes action (the default is allow-connection) when the TCP window size is advertised as greatly disparate values for no apparent reason.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# window-variation {allow-connection | drop-connection}

    Add a note hereTakes action (the default is allow) if Selective ACK (SACK, TCP option 4) is set.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# tcp-options selective-ack {allow | clear}

    Add a note hereTakes action (the default is allow) if the time stamp (TCP option 8) is used. If clear is used, the Round-Trip Time Measurement (RTTM) and Protection Against Wrapped Sequences (PAWS) mechanisms are broken.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# tcp-options timestamp {allow | clear}

    Add a note hereTakes action (the default is allow) if the window scale (TCP option 3) flag is set to expand the TCP window field from 16 to 32 bits.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# tcp-options window-scale {allow | clear}

    Add a note hereTakes action on packets that use TCP option numbers within the range lower to upper. The lower and upper limit values can be 6, 7, or 9 to 255.

    Add a note hereTCP option 2 (MSS), option 3 (window scale), options 4 and 5 (SACK), and option 8 (time stamp) are not valid in this range because they are addressed with other tcp-options commands.

    Add a note here

    Add a note hereFirewall(config-tcp-map)# tcp-options range lower upper {allow | clear | drop}

    Add a note hereIf you have experimented with a command or its settings, you can use default command to set it back to its default configuration. For example, suppose you have entered the check-retransmission command but have decided to return the feature to its default state. Is the default on or off? No worries—just enter the following command to automatically choose the default:

    Add a note hereFirewall(config-tcp-map)# default check-retransmission
  3. Add a note hereEnd the TCP map configuration with the exit command.

  4. Add a note hereApply the TCP map as a template action with the following policy map configuration command:

    Add a note hereFirewall(config-pmap-c)# set connection advanced-options tcp_map_name


Add a note here You will not be able to move directly from the TCP map configuration mode into the policy map configuration mode. After you exit the TCP map configuration mode in Step 3, get back into the policy map configuration mode with the following commands:

Add a note hereFirewall(config)# policy-map policy_map_name
Firewall(config-pmap)# class class_map_name

Add a note hereFor example, a TCP map named conform_tcp is defined to drop TCP connections that try to use a nonzero value in the reserved bits field. As well, if TCP options 6, 7, or 9 through 255 are present, the connection is dropped.

Add a note hereYou can use the following commands to accomplish this. Notice that to use the set connection advanced-options command in a policy map, you still have to configure a class map to match the relevant traffic. In this case, all TCP packets should be matched—something that can be done only by using an access list.

Add a note hereFirewall(config)# tcp-map conform_tcp
Firewall(config-tcp-map)# reserved-bits drop
Firewall(config-tcp-map)# tcp-options range 6 7 drop
Firewall(config-tcp-map)# tcp-options range 9 255 drop
Firewall(config-tcp-map)# exit
Firewall(config)# access-list acl_tcp permit tcp any any
Firewall(config)# class-map MyClass
Firewall(config-cmap)# match access-list acl_tcp
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class MyClass
Firewall(config-pmap-c)# set connection advanced-options conform_tcp
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Add a note hereYou can monitor the activity of any configured tcp-options policy commands with the following command:

Add a note hereFirewall# show service-policy set connection

Add a note hereIn the following example, a TCP map named conform_tcp has been applied as a policy action in the policy-outbound service policy. Counters are displayed for each type of packet drop that can be configured regarding the TCP options field:

Add a note hereFirewall# show service-policy set connection
Global policy:
Service-policy: asa_global_fw_policy
Interface outside:
Service-policy: policy-outbound
Class-map: outbound
Set connection policy: conn-max 100 embryonic-conn-max 10
current embryonic conns 0, current conns 0, drop 0
Set connection timeout policy:
tcp 0:30:00
Set connection advanced-options: conform_tcp
Retransmission drops: 0 TCP checksum drops : 0
Exceeded MSS drops : 0 SYN with data drops: 0
Out-of-order packets: 0 No buffer drops : 0
Reserved bit cleared: 0 Reserved bit drops : 0
IP TTL modified : 0 Urgent flag cleared: 0
Window varied resets: 0
Selective ACK cleared: 0 Timestamp cleared : 0
Window scale cleared : 0
Other options cleared:
Other options drops:

Send the Matched Traffic to an IPS Module

Add a note hereThe Cisco ASA platform has a Security Services Module (SSM) slot that can be populated with a hardware module to handle Intrusion Prevention System (IPS) functions. This module is called the Advanced Inspection and Prevention (AIP) SSM. The ASA firewall must first match packets that are candidates for IPS inspection. Those packets are then offloaded to the AIP for IPS analysis.


Add a note hereWith an AIP SSM installed, an ASA platform can take advantage of the more than 1000 available IPS signatures. However, if an AIP is not installed (ASA or PIX platforms), only the basic IPS feature configured with the ip audit command can be used.

Add a note hereYou can configure two different methods of handing off packets to the AIP:

  • Add a note here inline— The AIP operates inline with the firewall so that matched packets flow from the firewall to the AIP, are inspected and acted upon by the AIP, and then flow back to the firewall.

  • Add a note here promiscuous— Matched packets are duplicated and sent to the AIP for IPS inspection. However, the original packets are still handled normally by the ASA firewall.

Add a note hereYou can configure a method by using one of the following commands:

Add a note hereFirewall(config-pmap-c)# ips inline {fail-open | fail-close}

Add a note hereor

Add a note hereFirewall(config-pmap-c)# ips promiscuous {fail-open | fail-close}

Add a note hereWith either method, you can configure the firewall’s action if the IPS hardware has failed. Use the fail-open keyword to allow matched packets to move through the firewall normally.

Add a note hereOtherwise, you can use the fail-close keyword to have tighter control over IPS policy enforcement. The firewall drops the matched packets if the IPS hardware has failed, preventing a potential vulnerability from being propagated into the protected network.

Add a note here For example, the following commands are used to configure a firewall to match any IP traffic and send it to the AIP module. The IPS process is to be inline with the firewall, and connections should be closed if the IPS module has failed. The whole policy is applied to the outside interface.

Add a note hereFirewall(config)# class-map IPS_Class
Firewall(config-cmap)# match any
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class IPS_Class
Firewall(config-pmap-c)# ips inline fail-close
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Add a note hereYou can monitor the activity of a service policy that sends matched packets to an AIP module with the following command:

Add a note hereFirewall# show service-policy ips


Add a note here Chapter 12, “ASA Modules,” covers the AIP SSM configuration in greater detail.

Send the Matched Traffic to a CSC Module

Add a note hereYou can populate the SSM slot in an ASA platform with a Content Security and Control (CSC) module. The CSC can perform anti-virus, anti-spam, anti-spyware, and anti-phishing functions on packets that are sent to it.

Add a note hereThe CSC operates in an inline mode as follows:

  1. Add a note hereThe traffic matching a policy is sent to the CSC.

  2. Add a note hereThe CSC inspects and acts on malicious content.

  3. Add a note hereThe CSC sends the traffic back to the firewall.

Add a note hereYou can configure the policy map action to send matching traffic to the CSC with the following command:

Add a note hereFirewall(config-pmap-c)# csc {fail-open | fail-close}

Add a note hereYou can configure the firewall’s action if the CSC hardware has failed and cannot be reached. Use the fail-open keyword to allow matched packets to move through the firewall normally, without the CSC’s inspection.

Add a note hereOtherwise, use the fail-close keyword to have tighter control over the CSC’s policy enforcement. The firewall drops the matched packets if the CSC hardware has failed.


Add a note here Chapter 12 covers the CSC SSM configuration in greater detail.

Use a Policer to Limit the Matched Traffic Bandwidth

Add a note hereBeginning with ASA 7.0(1), you can define traffic policers in a policy map to control the amount of interface bandwidth given to specific traffic. Packets that are identified with a match command in a class map can be applied to a policer.

Add a note hereYou can configure a policer as an action within a policy map with the following command:

Add a note hereFirewall(config-pmap-c)# police {output | input} conform_rate [burst_bytes]
[conform-action {drop | transmit}] [exceed-action {drop | transmit}]

Add a note hereMatched packets are held to a strict bandwidth policy. They can use up to conform_rate bits per second, given as 8000 (8 kbps) to 2,000,000,000 (2 Gbps). While the conform_rate bandwidth is not being exceeded, the firewall takes the conform-action and either drops the conforming packets or transmits them (the default).

Add a note hereYou can also specify an “instantaneous” amount of burst traffic that is allowed when the conform_rate is exceeded. This is given as burst_bytes, 1000 (1 KB) to 512,000,000 (512 MB); this is 1500 bytes by default. If the conform rate is exceeded by more than the burst size, the traffic is considered nonconforming, and the exceed-action is taken. The firewall can either drop (the default) or transmit the nonconforming packets.


Add a note hereIt might seem odd that the conform_rate is specified in bits per second while the burst is given in bytes. This is because of how the policer operates. A 10-millisecond (ms) clock interval is used to measure policed traffic. The byte counts of matching packets are added to a “bucket” whose “high water mark” is set to the amount of traffic that can be transmitted in one clock tick. In addition, the bucket is emptied at every interval of the policer clock (10 ms).

Add a note hereWhile the conform_rate is not exceeded, the bucket should never fill. If a burst size is configured, it is added to the bucket’s high water mark. Therefore, in one clock tick (10 ms), the amount of matching traffic can exceed the conforming amount by the burst size in bytes.

Add a note hereIn releases prior to ASA 7.2(1), policers can examine and limit traffic rates in the outbound direction only. You can use the output keyword to police traffic being output on an interface, but this is not really necessary, because that is the default and the only direction possible.

Add a note here Beginning with ASA 7.2(1), policers can be used to control the rates of incoming traffic as well. When you configure a policer, you have to select whether it operates in the input or output direction after it is applied to an interface.

Add a note hereFor example, suppose a policer has been configured to limit outbound HTTP traffic to an aggregate rate of 8 kbps. Conforming traffic is transmitted, but traffic that exceeds the conform rate is dropped. The HTTP servers are located on the inside of the firewall, and all relevant clients are located outside. The following commands show this configuration:

Add a note hereFirewall(config)# access-list outbound_http extended permit tcp any eq http any
Firewall(config)# class-map class_http
Firewall(config-cmap)# match access-list outbound_http
Firewall(config-cmap)# exit
Firewall(config)# policy-map mypolicy
Firewall(config-pmap)# class class_http
Firewall(config-pmap-c)# police output 8000 conform-action transmit exceed-action drop
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy mypolicy interface outside

Add a note hereYou could also add a policer to control the rate of inbound FTP traffic to an aggregate rate of 128 kbps. You could use the following commands to configure the FTP policer:

Add a note hereFirewall(config)# class-map class_ftp
Firewall(config-cmap)# match port tcp eq 20
Firewall(config-cmap)# exit
Firewall(config)# policy-map mypolicy
Firewall(config-pmap)# class class_ftp
Firewall(config-pmap-c)# police input 128000 conform-action transmit exceed-action drop
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit

Add a note hereIn effect, you just have to edit the policy map to add in a new policy for the inbound traffic. The policy map was already applied to the outside interface in the first part of the example.

Add a note hereYou can monitor policer activity with the following command:

Add a note hereFirewall# show service-policy [interface ifc_name]

Add a note hereFor example, the following output corresponds to the previous sample configuration:

Add a note hereFirewall# show service-policy interface outside
Interface outside:
Service-policy: policy-outbound
Class-map: class_http
Output police Interface outside:
cir 8000 bps, bc 1500 bytes
conformed 223 packets, 16502 bytes; actions: transmit
exceeded 377 packets, 27898 bytes; actions: drop
conformed 6320 bps, exceed 11744 bps
Class-map: class_ftp
Input police Interface outside:
cir 128000 bps, bc 4000 bytes
conformed 67 packets, 9120 bytes; actions: transmit
exceeded 34 packets, 3942 bytes; actions: drop
conformed 1298 bps, exceed 3114 bps

Add a note hereNotice that the command output includes current estimates of the bits per second for the “conformed” and “exceed” traffic based on the policer’s actions. For the policer in the output direction, the committed information rate (cir) is shown to be 8000 bps, and the committed burst (bc) is the default 1500 bytes (one packet).

Add a note hereAs an extra step, a burst size of 12,000 bytes (eight 1500-byte packets) is then configured for the same output policer using the following command:

Add a note hereFirewall(config-pmap-c)# police output 8000 12800 conform-action transmit exceed-action

Add a note hereThe idea is to add the capability for periodic bursts of traffic over the conform rate to get through unaltered, as long as the traffic rate stays below the conform rate. If the traffic rate is sustained at a high rate, where the policer must keep it rate-limited, only a single burst of excessive traffic is permitted.

Add a note hereMonitoring the policer from the command line shows the updated burst size and the estimated conformed and exceeded rates. However, notice that the following output does not really give an indication of the burst activity:

Add a note hereFirewall# show service-policy interface outside
Interface outside:
Service-policy: policy-outbound
Class-map: outbound
police Interface outside:
cir 8000 bps, bc 12800 bytes
conformed 2294 packets, 169756 bytes; actions: transmit
exceeded 3986 packets, 294964 bytes; actions: drop
conformed 5376 bps, exceed 11176 bps
Class-map: class_ftp
Input police Interface outside:
cir 128000 bps, bc 4000 bytes
conformed 67 packets, 9120 bytes; actions: transmit
exceeded 34 packets, 3942 bytes; actions: drop
conformed 1298 bps, exceed 3114 bps

Add a note hereTo see the effects of the policer at work, you can use the ASDM application to display a graph of interface bit rates. Figure 7-3 shows this graph during the time that the example output policer was configured. On the left, where the bit rate averages around 20,000 bps, no policer was configured. This represents the true data rate through the outside firewall interface.

Image from book
Add a note hereFigure 7-3: The Effects of a Policer on Interface Traffic

Add a note hereWhen the data rate falls off abruptly to about 7000 bps, the policer has just been configured, with a conform-rate of 8000 bps. No burst size has been configured other than the default. Notice a spike toward the right side of the graph. At that point, the policer was reconfigured with the addition of the 12,800-byte burst size. Because the traffic rate was already at a sustained level above the conform-rate, the policer allowed only a single burst of traffic to get through before throttling the rate back to the conform-rate value.

Give Priority Service (LLQ) to Matched Traffic

Add a note hereOrdinarily, packets are placed on the “normal” queue of a firewall interface after they are inspected. The contents of this queue are transmitted in the order that they were placed in the queue, with no regard for the packet contents or QoS requirements. In other words, packets exit a firewall in a best-effort fashion.

Add a note hereBeginning with ASA 7.0(1), a firewall also supports a strict priority queue that can be enabled on each interface. Packets in the priority queue are serviced and sent out before any packets from the normal queue. Therefore, the priority queue is not affected by the volume or types of traffic contained in the normal queue. The priority queue can be used to provide premium service to delay- and jitter-intolerant applications such as streaming video and voice.

Add a note hereYou can use the following command to place the matched traffic in the priority queue on the egress interface:

Add a note hereFirewall(config-pmap-c)# priority

Add a note here Refer to Chapter 3, “Building Connectivity,” Section “3-1: Building Connectivity,” Section “Configuring Interfaces,” for more information about priority queue operation.

Add a note hereFor example, suppose a firewall is configured to place various types of voice-related packets in its priority interface queues. Class maps are configured to match control packets used for Cisco Skinny and Session Initiation Protocol (SIP). Another class map matches the RTP audio bearer packets. A final class map matches any packet that has its IP DSCP value set to EF (46), indicating the need for priority service. The following configuration commands are used to implement these requirements:

Add a note hereFirewall(config)# class-map Class_Skinny
Firewall(config-cmap)# match port tcp range 2000 2002
Firewall(config-cmap)# exit
Firewall(config)# class-map Class_RTP
Firewall(config-cmap)# match rtp 16384 16383
Firewall(config-cmap)# exit
Firewall(config)# class-map Class_SIP
Firewall(config-cmap)# match port udp eq sip
Firewall(config-cmap)# exit
Firewall(config)# class-map Class_DSCP
Firewall(config-cmap)# match dscp ef
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class Class_Skinny
Firewall(config-pmap-c)# priority
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# class Class_RTP
Firewall(config-pmap-c)# priority
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# class Class_SIP
Firewall(config-pmap-c)# priority
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# class Class_DSCP
Firewall(config-pmap-c)# priority
Firewall(config-pmap-c)# exit
Firewall(config)# service-policy MyPolicy interface outside
Firewall(config)# service-policy MyPolicy interface inside

Add a note here Default Policy Definitions

Add a note hereAn ASA running release 7.0(1) or later, or a FWSM running 3.1(1) or later, automatically configures a default class map and a default policy map. The default policy map is referenced by a service policy that is applied globally to all firewall interfaces. Figure 7-4 shows the default modular policies.

Image from book
Add a note hereFigure 7-4: Default Modular Policy Definitions

Add a note here The default class map is named inspection_default. It matches against a predefined set of protocols and port numbers called default-inspection-traffic. This is a “catchall” case that matches against the default primary ports for every possible inspection engine.


Add a note hereThe default-inspection-traffic definition does not appear in the firewall configuration. To see how it is defined, use the context-based help within a class-map configuration, as in the following example:

Add a note hereFirewall(config)# class-map test
Firewall(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 radius-acct---udp--1646
rpc-------udp--111 rsh-------tcp--514
rtsp------tcp--554 sip-------tcp--5060
sip-------udp--5060 skinny----tcp--2000
smtp------tcp--25 sqlnet----tcp--1521
tftp------udp--69 xdmcp-----udp--177

Add a note hereThe default policy map is named global_policy. It references only the inspection_default class map. It also has a set of predefined actions, which invoke the inspection engines as shown in Figure 7-4.

Add a note hereThe default service policy references policy map global_policy and applies it to “global,” or to every active firewall interface. The net effect of the default configuration is as follows:

  • Add a note hereAll traffic is matched against the default inspection engine settings.

  • Add a note hereOnly the 22 predefined inspection engines are active. Only traffic matching the default protocols and ports of these are inspected. All other traffic is denied unless other nondefault policies are configured.

  • Add a note hereTraffic matching the default inspection engines is inspected, regardless of the firewall interface.

Add a note hereYou can add your own modular policies to the default policies in two ways:

  • Add a note hereYou can configure the existing default class map and policy map to add additional matches and actions.

    Add a note hereAlthough this simplifies the configuration because you do not have to configure new class maps and policy maps, any changes you make to the default policies are applied to all the firewall interfaces. In other words, you lose some ability to fully customize the security policies, because the global_policy policy map is applied globally by default.

  • Add a note hereYou can configure new class maps and new policy maps and apply those to one or more interfaces with a service policy. This approach offers the most scalability and granularity.

    Add a note hereYou can apply only one policy map to an interface with a service policy. However, you can apply your own policy map to an interface, even if the default policy map is already applied in the default service policy. One service policy can overlay the default service policy on any interface because the default is used globally.

No comments:

Post a Comment