Monday, June 20, 2011

Chapter 9: Inspecting Traffic with the ASA (Part02)

7-3: Application Inspection

Add a note hereA stateful firewall can easily examine the source and destination parameters of packets passing through it. Many applications use protocols that also embed address or port information inside the packet, requiring special handling for examination.

Add a note hereApplication inspection allows a firewall to dig inside the packets used by certain applications. The firewall can find and use the embedded information in its stateful application layer inspection engines.

Add a note hereEmbedded address information can also become confusing when you use NAT. If the packet addresses are being translated, the firewall must also perform the same translation on any corresponding embedded addresses.

Add a note here Application inspection also monitors any secondary channels or “buddy ports” that are opened as a part of an application connection. Only the primary or well-known port needs to be configured for the application inspection. In addition, only the primary port needs to be permitted in an access list applied to a firewall interface.

Add a note hereThis becomes important for inbound connections, where permitted ports must be explicitly configured in the access list. Any secondary connections that are negotiated are tracked, and the appropriate access (additional xlate and conn entries) is added automatically.

Add a note hereTo illustrate how this works, consider a simple example with the passive FTP application protocol, as shown in Figure 7-5. An FTP client is located on the outside of a firewall, and the FTP server is inside. The access list applied to the outside interface only permits inbound connections to TCP port 21, the FTP control channel. As soon as the client opens a connection to port 21, the server responds with the port number of the data channel the client should use next.

Click to collapse
Add a note hereFigure 7-5: An Example of FTP Application Inspection

Add a note here When the client initiates the inbound data connection to the server’s negotiated port number, the firewall does not have an explicit access list statement to permit it. In fact, because the new connection port is negotiated within a previous FTP exchange over the control channel, the port number cannot be known ahead of time. However, the FTP application inspection understands the FTP protocol and listens to the packet exchange between the client and server. The firewall overhears the data channel port negotiation and can automatically create xlate and conn entries for it dynamically.

Add a note hereIn releases before ASA 7.0(1), application inspection is called a fixup. If a fixup is enabled, it is used to examine all traffic passing through the firewall. Beginning with ASA 7.0(1) and FWSM 3.1(1), application inspection is much more flexible. Inspection engines can be used to examine specific types of traffic.

Add a note here Table 7-6 lists the applications and well-known ports supported for application inspection on Cisco firewall platforms running PIX software.

Add a note here Table 7-6: Application Inspection: Applications and Ports Supported
Open table as spreadsheet

Add a note hereApplication Protocol

Add a note hereKeyword

Add a note herePIX 6.3

Add a note hereASA, FWSM

Add a note hereCTIQBE

Add a note here ctiqbe

Add a note here TCP 2748 (disabled)

Add a note here TCP 2748 (disabled)

Add a note hereCU-SeeMe

Add a note here

Add a note here UDP 7648 (always enabled)

Add a note here

Add a note hereDNS

Add a note here dns

Add a note here UDP 53

Add a note here UDP 53

Add a note hereESMTP

Add a note here esmtp

Add a note here

Add a note here TCP 25

Add a note hereESP-IKE

Add a note here esp-ike

Add a note here — (disabled)

Add a note here

Add a note hereFTP

Add a note here ftp

Add a note here TCP 21

Add a note here TCP 21

Add a note hereGTP version 1

Add a note here gtp

Add a note here

Add a note here UDP 2123, 3386 (disabled)

Add a note hereH.323: H225

Add a note hereH.323: RAS

Add a note here h323 h225

Add a note here h323 ras

Add a note here TCP 1720

Add a note here UDP 1718 to 1719

Add a note here TCP 1720

Add a note here UDP 1718 to 1719

Add a note hereHTTP

Add a note here http

Add a note here TCP 80

Add a note here TCP 80 (disabled)

Add a note hereICMP

Add a note here icmp

Add a note here

Add a note here (no port; disabled)

Add a note hereICMP Error Messages

Add a note here icmp error

Add a note here (no port)

Add a note here (no port; disabled)

Add a note hereILS/LDAP

Add a note here ils

Add a note here TCP 389

Add a note here TCP 389

Add a note hereMGCP

Add a note here mgcp

Add a note here UDP 2427, 2727 (disabled)

Add a note here UDP 2427, 2727 (disabled)

Add a note hereNBDS

Add a note here netbios

Add a note here UDP 138 (always enabled)

Add a note here UDP 138

Add a note hereNBNS

Add a note here netbios

Add a note here UDP 137 (always enabled)

Add a note here UDP 137

Add a note herePPTP

Add a note here pptp

Add a note here TCP 1723 (disabled)

Add a note here TCP 1723 (disabled)

Add a note hereRSH

Add a note here rsh

Add a note here TCP 514

Add a note here TCP 514

Add a note hereRTSP

Add a note here rtsp

Add a note here TCP 554

Add a note here TCP 554

Add a note hereSIP

Add a note here sip

Add a note here UDP/TCP 5060

Add a note here UDP/TCP 5060

Add a note hereSkinny/SCCP

Add a note here skinny

Add a note here TCP 2000

Add a note here TCP 2000

Add a note hereSMTP

Add a note here smtp

Add a note here TCP 25

Add a note here TCP 25 (disabled)

Add a note hereSNMP

Add a note here snmp

Add a note here UDP 161, 162 (disabled)

Add a note here UDP 161, 162

Add a note hereSQL*Net

Add a note here sqlnet

Add a note here TCP 1521

Add a note here TCP 1521

Add a note hereSunRPC

Add a note here sunrpc

Add a note here TCP/UDP 111 (always enabled)

Add a note here TCP/UDP 111

Add a note hereTFTP

Add a note here tftp

Add a note here UDP 69

Add a note here UDP 69

Add a note hereVDOLive

Add a note here

Add a note here TCP 7000 (always enabled)

Add a note here

Add a note hereWindows Media (Netshow)

Add a note here

Add a note here TCP 1755 (always enabled)

Add a note here

Add a note hereXDMCP

Add a note here xdmcp

Add a note here UDP 177 (always enabled)

Add a note here UDP 177

Add a note here Configuring Application Inspection

Add a note here By default, PIX 6.3 enables only the CU-SeeMe, DNS, FTP, H.323, HTTP, ILS/LDAP, NetBIOS, RSH, RTSP, SIP, SKINNY/SCCP, SMTP, SQL*Net, SunRPC, TFTP, VDO Live, Windows Media, and XDMCP fixups. If the fixup command is configured for an application protocol, then the firewall inspects that traffic with an inspection engine.

Add a note hereOn an ASA or FWSM platform, application inspection occurs only on traffic that has been classified and applied to a policy. When you use the inspect command, as in the following command syntax, only the inspection engine that you specify examines traffic identified by the class map:

Add a note hereFirewall(config-pmap-c)# inspect inspect_name [options]

Add a note hereAs you might imagine, application layer inspection depends heavily on the MPF structure that is described in Section “7-2: Defining Security Policies in a Modular Policy Framework.” Within a single policy map, you can configure Layer 3/4 traffic policies, as well as application layer inspection engine definitions.

Add a note hereAs soon as an inspection policy is configured, you can monitor its activity with the following command:

Add a note hereFirewall# show service-policy

Add a note here This command displays each active service policy, along with the class map and action breakdown. If inspect commands are configured as part of a service policy, each one is listed, along with counters for packets inspected and dropped and connections reset. The inspection engines configured in the default global policy global_policy are shown in the following example:

Add a note hereFirewall# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns maximum-length 512, packet 10, drop 0, reset-drop 0
Inspect: ftp, packet 39, drop 0, reset-drop 0
Inspect: h323 h225, packet 0, drop 0, reset-drop 0
Inspect: h323 ras, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: esmtp, packet 28, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 27, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: icmp error, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 76800, drop 13628, reset-drop 0

Add a note hereYou can configure any of the supported application layer inspection engines by using the configuration command syntax listed in Table 7-7.

Add a note here Table 7-7: Configuring Application Layer Inspection Engines
Open table as spreadsheet

Add a note hereApplication for Inspection

Add a note hereCommand

Add a note hereCTIQBE

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect ctiqbe

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect ctiqbe

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol ctiqbe 2748

Add a note hereCU-SeeMe

Add a note hereASA

Add a note here

Add a note hereFWSM

Add a note here

Add a note herePIX

Add a note hereAlways enabled. Supported by the H.323 fixup.

Add a note hereDCERPC

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect dcerpc [dcerpc_pmap_name]

Add a note hereSee the section “Configuring DCERPC Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note herePIX

Add a note here

Add a note hereDNS

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect dns [dns_pmap_name]

Add a note hereSee the section “Configuring DNS Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect dns [maximum-length max_pkt_length]

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol dns [maximum-length max_pkt_length]

Add a note hereESMTP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect esmtp [esmtp_pmap_name]

Add a note hereSee the section “Configuring ESMTP Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note herePIX

Add a note here

Add a note hereESP with PAT (IPSec)

Add a note hereASA

Add a note here

Add a note hereFWSM

Add a note here

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol esp-ike

Add a note hereFTP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect ftp [ftp_pmap_name]

Add a note hereSee the sections “Configuring FTP Inspection—ASA 7.2(1) or Later” and “Configuring FTP Inspection—FWSM and ASA 7.0-7.1” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect ftp [strict [ftp_map_name]]

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol ftp [strict] [port]

Add a note hereGTP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect gtp [gtp_pmap_name]

Add a note hereSee the sections “Configuring GTP Inspection—ASA 7.2(1) and Later” and “Configuring GTP Inspection—FWSM and ASA 7.0-7.1” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect gtp[gtp_map_name]

Add a note herePIX

Add a note here

Add a note hereH.323

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect h323 [h323_pmap_name]

Add a note hereSee the section “Configuring H.323 Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect h323 {h225 [h225_map] | ras}

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol h323 {h225 | ras} port[-port]

Add a note hereHTTP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect http [http_pmap_name]

Add a note hereSee the sections “Configuring HTTP Inspection—ASA 7.2(1) and Later” and “Configuring HTTP Inspection—FWSM and ASA 7.0-7.1” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect http [http_map_name]

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol http [port[-port]

Add a note hereICMP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect icmp [error]

Add a note hereSee the section “Configuring ICMP Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect icmp [error]

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol icmp error

Add a note hereInternet Locator Service (ILS)/LDAP

Add a note hereFWSM 2.x

Add a note here

Add a note hereFirewall(config)# fixup protocol ils [port[-port]]

Add a note here6.x

Add a note here

Add a note hereFirewall(config)# fixup protocol ils [port[-port]]

Add a note here7.x

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect ils

Add a note hereInstant Messaging

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect im [im_pmap_name]

Add a note hereSee the section “Configuring Instant Messaging (IM) Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note herePIX

Add a note here

Add a note hereIPSec Passthru

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]

Add a note hereSee the section “Configuring IPSec Passthru Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note herePIX

Add a note here

Add a note hereMGCP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect mgcp [mgcp_pmap_name]

Add a note hereSee the section “Configuring MGCP Inspection—ASA 7.2(1) and later” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect mgcp [mgcp_map_name]

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol mgcp [port[-port]]

Add a note hereNetBIOS

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect netbios [netbios_pmap_name]

Add a note hereSee the section “Configuring NetBIOS Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect netbios

Add a note herePIX

Add a note here

Add a note hereAlways enabled.

Add a note herePPTP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect pptp

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect pptp

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol pptp port

Add a note hereRADIUS Accounting

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect radius-accounting [radius_pmap_name]

Add a note hereSee the section “Configuring RADIUS Accounting Inspection” later in the chapter.

Add a note hereFWSM

Add a note here-

Add a note herePIX

Add a note here-

Add a note hereRSH

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect rsh

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect rsh

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol rsh [port]

Add a note hereRTSP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect rtsp

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect rtsp

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol rtsp [port]

Add a note hereSIP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect sip

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect sip

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# [no] fixup protocol sip udp 5060
Firewall(config)# fixup protocol sip [port[-port]

Add a note hereSkinny (SCCP)

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect skinny

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect skinny

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol skinny [port[-port]

Add a note hereSMTP

Add a note hereASA

Add a note hereHandled as ESMTP; see the section “Configuring ESMTP Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect esmtp

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol smtp [port[-port]]

Add a note hereSNMP

Add a note hereASA

Add a note hereSee the section “Configuring SNMP Inspection” later in the chapter.

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect snmp [snmp_map_name]

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol snmp 161-162

Add a note hereSQL*Net

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect sqlnet

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect sqlnet

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol sqlnet [port[-port]]

Add a note hereSunRPC

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect sunrpc

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect sunrpc

Add a note herePIX

Add a note hereAlways enabled

Add a note hereTFTP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect tftp

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect tftp

Add a note herePIX

Add a note here

Add a note hereFirewall(config)# fixup protocol tftp [port[-port]]

Add a note hereXDMCP

Add a note hereASA

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect xdmcp

Add a note hereFWSM

Add a note here

Add a note hereFirewall(config-pmap-c)# inspect xdmcp

Add a note herePIX

Add a note hereAlways enabled

Add a note hereFWSM and ASA (releases 7.0[1] or later) use the inspect command. In releases prior to ASA 7.0(1), the fixup command configures application inspection and default port numbers.

Add a note here Table 7-7 lists the command syntax to configure each type of inspection engine for ASA, FWSM, and PIX 6.3 platforms. For application inspection engines that are more advanced, refer to the section of this chapter referenced in the table.

Add a note here Notice that none of the ASA or FWSM inspection engine configuration commands accepts a port number. These firewall platforms have a default concept of application port numbers, so you don’t have to define them. Any traffic that is matched by a class map will be processed through the appropriate inspection engine, using the default port number.

Add a note hereIf a nondefault port is needed, traffic must be matched against the nondefault port in a class map and then sent to an inspection engine specified in a policy map.

Add a note hereIn Table 7-7, notice that the inspect command does not accept any port numbers for the case in which the default application port needs to be changed. The default port numbers are defined by the match default-inspection-traffic command, which is configured by default.

Add a note hereYou can change the default port by matching traffic based on the new port number and then using a policy to subject that traffic to the inspection engine.

Add a note hereFor example, the inspect http command uses default TCP port 80 for its inspection. If you need to use TCP 8080 instead, use the following commands:

Add a note hereFirewall(config)# class-map http_8080
Firewall(config-cmap)# match port tcp eq 8080
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicies
Firewall(config-pmap)# class http_8080
Firewall(config-pmap-c)# inspect http
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicies interface inside

Add a note here That isn’t to say that once you choose a different port for an inspection engine, the original port cannot still be used. Because the structure of policy maps and class maps is modular, you can add another class-map to match another port. The following example shows a policy-map configuration that uses the HTTP inspection engine to use TCP port 80, as well as TCP port 8080.

Add a note hereFirewall(config)# class-map http_8080
Firewall(config-cmap)# match port tcp eq 8080
Firewall(config-cmap)# exit
Firewall(config)# class-map http_80
Firewall(config-cmap)# match port tcp eq 80
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicies
Firewall(config-pmap)# class http_8080
Firewall(config-pmap-c)# inspect http
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# class http_80
Firewall(config-pmap-c)# inspect http
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicies interface inside

Add a note hereAs the ASA software releases progress, the MPF continues to get more flexible and versatile. There are now so many pieces to the MPF puzzle that you can become overwhelmed on where to start and how to approach the configuration.

Add a note here Figure 7-6 shows the entire range of things you can configure as a part of the MPF structure. As well, dotted lines show how one piece of the MPF is configured and then referenced in another piece. Refer to this figure to keep your bearings as you configure various class maps and policy maps in the remainder of this chapter.

Image from book
Add a note hereFigure 7-6: The Entire MPF Structure and Interrelationships

Matching Text with Regular Expressions

Add a note hereBeginning with ASA 7.2(1), you can define a regular expression to use when matching text fields in many of the application layer inspection engines. Regular expressions can be defined in two ways:

  • Add a note hereA single regular expression configured with the following command:

    Add a note hereFirewall(config)# regex regex_name regular_expression
  • Add a note hereA group of regular expressions configured as a class map with the following commands:

    Add a note hereFirewall(config)# class-map type regex match-any regex_cmap_name
    Firewall(config-cmap)# match regex regex_name

    Add a note hereThe class map consists of one or more match regex commands, each referencing a single regular expression configured with the regex command.

Add a note hereWithin a regex command, you have to define the actual regular expression as a string of up to 100 characters. You can use regular characters in the regular_expression string to match text literally, and you can include special metacharacters to match text in a more abstract way.

Add a note here Table 7-8 lists the metacharacters and their functions.

Add a note here Table 7-8: Regular Expression Metacharacters
Open table as spreadsheet

Add a note here Metacharacter

Add a note hereName

Add a note hereFunction

Add a note here.

Add a note hereDot

Add a note hereMatches any single character

Add a note hereExample: b.d matches bad, bbd, bcd, bdd, bed, and so on

Add a note here( )

Add a note hereSubexpression

Add a note hereGroups the characters inside the parentheses as a single expression for matching with other metacharacters.

Add a note here|

Add a note hereOr

Add a note hereMatches either expression that | separates

Add a note hereExample: com|net matches or

Add a note hereExample: Ma(r|y) matches Mar or May

Add a note here ?

Add a note hereQuestion mark

Add a note hereMatches 0 or 1 of the expression just before the ?

Add a note hereExample: e?smtp matches smtp (zero e’s) or esmtp (1 e)

Add a note hereExample: (12)? matches 4444, 12444, 1212444, and so on

Add a note here*

Add a note hereAsterisk

Add a note hereMatches 0, 1, or any number of the expression just before the *

Add a note hereExample: w* matches and

Add a note here +

Add a note herePlus

Add a note hereMatches at least 1 of the expression just before the +

Add a note hereExample: w+ matches, but not

Add a note here {n}

Add a note hereRepeat

Add a note hereMatches if the expression just before {n} is repeated exactly n times

Add a note hereExample: (test){2} matches testtest but not testtesttest

Add a note here {n,}

Add a note hereMinimum repeat

Add a note hereMatches if the expression just before {n,} is repeated at least n times

Add a note hereExample: (test){2} matches testtest and also testtesttest

Add a note here [abc]

Add a note hereCharacter class

Add a note hereMatches any of the characters listed between the square brackets

Add a note hereExample: [dfhl]og matches dog, fog, hog, and log, but not frog

Add a note here [^abc]

Add a note hereNot character class

Add a note hereMatches any character that is not listed between the brackets

Add a note hereExample: [^dfhl]og matches cog, but not dog, fog, hog, or log.

Add a note here [a-c]

Add a note hereCharacter range class

Add a note hereMatches any character in the range from a to c

Add a note hereExample: [a-z] matches any lower case letter, [A-Z] matches any upper case letter, [0-9] matches any digit.

Add a note here ^

Add a note hereCaret

Add a note hereThe caret matches the beginning of a line; any expression following the caret will be matched only if it appears at the beginning of a line.

Add a note hereExample: ^Dear matches “Dear John”, but not “John Dear”

Add a note here \

Add a note hereEscape

Add a note hereThe metacharacter following \ will be treated as a literal character; this is useful when you need to match against something that is normally interpreted as a metacharacter.

Add a note hereExample: \*Test matches *Test*

Add a note here \r

Add a note hereCarriage return

Add a note hereMatches a carriage return character (ASCII 13 or 0x0d)

Add a note here \n

Add a note hereNewline

Add a note hereMatches a newline character (ASCII 10 or 0x0a)

Add a note here \t

Add a note hereTab

Add a note hereMatches a tab character (ASCII 9 or 0x09)

Add a note here \f

Add a note hereForm feed

Add a note hereMatches a form feed character (ASCII 12 or 0x0c)

Add a note here \xNN

Add a note hereEscaped hex number

Add a note hereMatches an ASCII character that has the two-digit hex code NN

Add a note hereExample: \x20 matches a space (ASCII 32)

Add a note here \NNN

Add a note hereEscaped octal number

Add a note hereMatches an ASCII character that has the three-digit octal code NNN

Add a note hereExample: \040 matches a space (ASCII 32)

Add a note here As an example of a regular expression configuration, two standalone regex commands are used to match against “” and “”, “”, and so on.

Add a note hereFirewall(config)# regex Group1 cisco\.com
Firewall(config)# regex Group2 mysite[0-9]\.com

Add a note hereSuppose you want to apply both of these regular expressions to a policy. You can group them together into a single regex class map with the following commands:

Add a note hereFirewall(config)# class-map type regex match-any my_regex_groups
Firewall(config-cmap)# match regex Group1
Firewall(config-cmap)# match regex Group2
Firewall(config-cmap)# exit

Add a note hereRegular expressions can be difficult to formulate, especially when metacharacters are used. You can experiment with a regular expression from the regular EXEC level prompt—without having to make any configuration changes first. Use the following command to test a regular expression:

Add a note hereFirewall# test regex input_text  regular_expression

Add a note hereEnter some sample input_text, as if the firewall is searching through a URL or some other text field. Enter the regular expression you want to test. If the input text or regular expression contains any spaces, be sure to surround the text string with quotation marks.

Add a note hereThe firewall will return the result of the regular expression match. In the following examples, the firewall has announced if the regular expression match has succeeded or failed. Remember that a failed match does not necessarily indicate that your regular expression is incorrect or poorly formed—your regular expression needs correcting only if it produces results that do not match your expectations.

Add a note hereFirewall# test regex "see the dog run" "dog | cat"
INFO: Regular expression match succeeded.
Firewall# test regex "see the pig run" "dog | cat"
INFO: Regular expression match failed.
Firewall# test regex "the frog is big" "[dfhl]og"
INFO: Regular expression match failed.

Configuring DCERPC Inspection

Add a note here Distributed Computing Environment Remote Procedure Call (DCERPC) is a Microsoft protocol used by client machines to run software remotely from a server. The clients communicate with an Endpoint Mapper, which sets up secondary connections for the clients to use when they begin remote program execution.

Add a note hereBeginning with ASA 7.2(1), you can enable DCERPC inspection with an optional inspection policy map. Use the following steps to configure DCERPC inspection:

  1. Add a note here(Optional) Define a DCERPC inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect dcerpc dcerrpc_pmap_name
  2. Add a note hereSet DCERPC parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode, then configure one or more parameters with the commands shown in the following table:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# timeout

    Add a note hereAdjust the pinhole timer; by default, DCERPC pinholes are closed after 2 minutes.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# endpoint-
    mapper [epm-service-only] [lookup-
    operation [timeout hh:mm:ss]]

    Add a note hereTune the endpoint mapper service: Use epm-service-only to enforce the use of the endpoint mapper service during binding, lookup-operation to enable the lookup function, and timeout to set the timeout value for pinholes created during lookup.

  3. Add a note hereEnable DCERPC inspection:

    Add a note hereFirewall(config-pmap-c)# inspect dcerpc [dcerpc_pmap_name]

    Add a note hereThe inspect dcerpc command must be entered as an action in a policy map. If you have configured a DCERPC inspection class map, you can identify it here as dcerpc_pmap_name.

Add a note hereAs an example, DCERPC inspection is enabled with a pinhole timeout of 5 minutes. You could use the following commands to accomplish this purpose:

Add a note hereFirewall(config)# policy-map type inspect dcerpc_policy
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# timeout pinhole 0:5:0
Firewall(config)# class-map MyClass
Firewall(config-cmap)# match any
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class MyClass
Firewall(config-pmap-c)# inspect dcerpc dcerpc_policy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring DNS Inspection

Add a note hereIf DNS inspection is enabled, a firewall will tear down the DNS connection after the first reply from a DNS server is seen. The DNS record is also examined, and the A-record is rewritten according to any address translation stemming from the alias, static, and nat commands. By default, the DNS message length is held to 512 bytes.

Add a note hereBeginning with ASA 7.2(1), DNS inspection parameters can be defined in an inspection policy map, which is applied to the DNS inspection engine. You can use the following steps to configure DNS inspection:

  1. Add a note here(Optional) Define a DNS inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect dns [match-any | match-all] pmap_name

    Add a note hereBy default, the policy map matches the first condition found, if multiple match commands are configured. This is the same as giving the match-any keyword. You can use the match-all keyword instead, to require that every match command is met.

  2. Add a note hereDefine matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]
    dns-class {eq value | IN} | {range min
    Firewall(config-pmap-c)# {drop |
    drop-connection | enforce-tsig}

    Add a note hereMatch: DNS class as a value (0–65535) or IN or a range.

    Add a note hereAction: Drop the packet, drop or reset the connection, enforce a TSIG resource record; log optional.

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]
    dns-type {eq value} | {range min

    Firewall(config-pmap-c)# {drop |
    drop-connection | enforce-tsig}

    Add a note hereMatch: DNS query or resource record type. Type value can be 0–65535 or one of the following keywords: A (IPv4 address record), AXFR (zone transfer), CNAME (canonical name), IXFR (incremental transfer), NS (authoritative name server), SOA (start of authority), TSIG (transaction signature). Type can also be a range of values.

    Add a note hereAction: Drop the packet, drop or reset the connection, enforce a TSIG resource record; log optional.

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]
    domain-name regex {regex | class

    Firewall(config-pmap-c)# {drop |
    drop-connection | enforce-tsig}

    Add a note hereMatch: Domain name, as a regular expression.

    Add a note hereAction: Drop the packet, drop or reset the connection, enforce a TSIG resource record; log optional.

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]
    header-flag value

    Firewall(config-pmap-c)# {drop |
    drop-connection | mask | enforce-
    } [log]

    Add a note hereMatch: Header flag, a hex value 0x0-0xffff or one of the following keywords: AA (authoritative answer), QR (query), RA (recursion available), RD (recursion desired), or TC (truncation).

    Add a note hereAction: Drop the packet, drop or reset the connection, mask the header flag, or enforce a TSIG resource record; log optional.

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]

    Firewall(config-pmap-c)# {drop |
    drop-connection | enforce-tsig}

    Add a note hereMatch: DNS question field.

    Add a note hereAction: Drop the packet, drop or reset the connection, or enforce a TSIG resource record; log optional.

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]
    resource-record {additional | answer
    | authority}

    Firewall(config-pmap-c)# {drop |
    drop-connection | enforce-tsig}

    Add a note hereMatch: DNS resource record type.

    Add a note hereAction: Drop the packet, drop or reset the connection, or enforce a TSIG resource record; log optional.

    Add a note hereAs well, you can configure a DNS inspection class map with the class-map type inspection dns dns_cmap_name command. That inspection class map can contain any of the match commands listed here, along with their associated action commands. The idea is to group match and action commands that might be needed in multiple DNS inspection policies.

    Add a note hereThen you can reference the inspection class map in the inspection policy map with the following command:

    Add a note hereFirewall(config-pmap)# class dns_cmap_name

    Add a note hereBy referencing the inspection class map in several places, you save yourself the trouble of configuring the same match and action commands again and again.

  3. Add a note hereSet DNS parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note here First, enter the parameters mode and then configure one or more parameters with the commands shown in the following table:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# dns-guard

    Add a note hereEnable the DNS Guard feature (enabled by default).

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# id-mismatch
    {count number seconds} action log

    Add a note hereLog when ID mismatches occur over a threshold of number in seconds (default 30 in 3 seconds).

    Add a note here

    Add a note hereFirewall(config-pmap-p)# id-

    Add a note hereRandomize the DNS identifier to help prevent DNS poisoning attacks; by default, the DNS identifier field is passed through the firewall unchanged.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# message-
    length maximum {max_length | {client
    max_length [auto]} | {server
    max_length [auto]}}

    Add a note hereSet the maximum DNS message size globally as max_length (512-65535 bytes) or for the client or the server.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# nat-

    Add a note hereRewrite the A record according to NAT (the default)

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# protocol-

    Add a note hereExamine DNS messages for strict protocol checks (the default)

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# tsig
    enforced action [drop] log

    Add a note hereRequire TSIG resource records; if they are not found in DNS messages, a log message is generated. Add drop to drop the messages, too.

  4. Add a note hereEnable DNS inspection:

    Add a note hereFirewall(config-pmap-c)# inspect dns [dns_pmap_name]

    Add a note hereThe inspect dns command must be entered as an action in a policy map. You can also apply a DNS inspection policy map by giving its name pmap_name.

Add a note hereAs an example, a DNS inspection policy map is configured to match zone transfer requests and to drop and log them. The inspection engine is also configured to randomize the ID field. The following commands can be used to configure DNS inspection:

Add a note hereFirewall(config)# policy-map type inspect dns match-any MyDNSPolicy
Firewall(config-pmap)# match dns-type eq AXFR
Firewall(config-pmap-c)# drop log
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# id-randomization
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect dns MyDNSPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring ESMTP Inspection

Add a note here ESMTP inspection can be used to detect a variety of suspicious email activity. As well, it can block specific senders, receivers, and attempts at mail relay.

Add a note hereBeginning with ASA 7.2(1), ESMTP inspection parameters can be defined in an inspection policy map, which is applied to the ESMTP inspection engine. You can use the following steps to configure ESMTP inspection:

  1. Add a note here(Optional) Define an ESMTP inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect esmtp esmtp_pmap_name
  2. Add a note hereDefine any matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] body
    {length gt length} | {line gt length}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: Mail message body length (length) or line length (line, 1–998 characters).

    Add a note hereAction: Drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] cmd
    {{RCPT count gt number} | {line length gt
    length} | {verb verb}}

    Firewall(config-pmap-c)# {drop-
    connection | reset | rate-limit rate |
    mask} [log]

    Add a note hereMatch: ESMTP command; RCPT number is number of recipients (1–10,000), line length (1–998 characters), verb is one of the following ESMTP verbs: AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SOML, or VRFY.

    Add a note hereAction: Drop or reset the connection, rate limit the messages to rate messages per second, mask the message; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] ehlo-
    reply-parameter {8bitmime | auth |
    binarymime | checkpoint | dsn | ecode | etrn
    | others | pipelining | size | vrfy}

    Firewall(config-pmap-c)# {drop-
    connection | reset | mask} [log]

    Add a note hereMatch: EHLO reply parameter.

    Add a note hereAction: Drop or reset the connection or mask the message; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    header {{length gt length} | {line length
    gt length} | {to-fields count count}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: Mail message header length, line count (1–998 characters), or the number of To: fields (1–10,000).

    Add a note hereAction: Drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    invalid-recipients count gt count

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: Maximum number of 5xx error messages from invalid recipients; count (1–1000 recipients).

    Add a note hereAction: Drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] mime
    {encoding {7bit | 8bit | base64 | binary |
    others | quoted-printable}} | {filename
    length gt length} | {filetype regex {regex | class regex_cmap_name}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: MIME encoding type, filename length (1–1000 characters), or filetype (regular expression).

    Add a note hereAction: Drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    sender-address {{length gt length} |
    {regex {regex | class regex_cmap_name}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: Sender address length (1–1000 characters) or content (regular expression).

    Add a note hereAction: Drop or reset the connection; log optional.

  3. Add a note hereSet ESMTP parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode, then configure one or more parameters with the commands shown in the following table:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# mail-relay
    domain_name action [drop-connection] log

    Add a note hereFor a mail relay using the domain name, either drop the connection and/or log.

    Add a note here

    Add a note hereFirewall(config-pmap-p)# mask-banner

    Add a note hereMask or obfuscate the mail server banner.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# special-
    character action [drop-connection] log

    Add a note hereIf special characters pipe (|), back quote (), or NUL are present in the sender or receiver address, drop the connection and/or log.

  4. Add a note hereEnable ESMTP inspection:

    Add a note hereFirewall(config-pmap-c)# inspect esmtp [esmtp_pmap_name]

    Add a note hereThe inspect esmtp command must be entered as an action in a policy map. You can also apply an ESMTP inspection policy map by giving its name esmtp_pmap_name.

Add a note hereAs an example, an ESMTP application inspection policy map is configured to reset and log connections when more than 100 email recipients are given in a message.

Add a note hereAs well, the security policies prevent anyone from sending email using an address that is outside the domain name “” A regular expression PermittedSenders is configured to match against email addresses containing “”. The policy map matches against any sender address that does not contain the regular expression. Connections attempting to send to those addresses are simply reset and logged.

Add a note hereFinally, any connections attempting to use a mail relay in the domain “” will be dropped and logged.

Add a note here The following configuration commands can be used to configure these ESMTP inspection policies:

Add a note hereFirewall(config)# regex PermittedSenders ""
Firewall(config)# policy-map type inspect esmtp MyESMTPPolicy
Firewall(config-pmap)# match cmd RCPT count gt 100
Firewall(config-pmap-c)# reset log
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# match not sender-address regex PermittedSenders
Firewall(config-pmap-c)# reset log
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# mail-relay action drop-connection log
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect esmtp MyESMTPPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring FTP Inspection—ASA 7.2(1) or Later

Add a note hereFTP can be used to exchange files between a client and a server. FTP is defined in RFC 959. By default, the regular FTP inspection engine maintains any secondary connections negotiated by FTP clients and servers. FTP commands and responses are also tracked.

Add a note hereYou can use the following steps to configure FTP inspection in ASA 7.2(1) or later:

  1. Add a note here(Optional) Define an FTP inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect ftp ftp_pmap_name
  2. Add a note here(Optional) Define any matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    filename regex {regex | class

    Firewall(config-pmap-c)# reset

    Add a note hereMatch: Filename with regular expression

    Add a note hereAction: Reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    filetype regex {regex | class

    Firewall(config-pmap-c)# reset

    Add a note hereMatch: File type with a regular expression

    Add a note hereAction: Reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    server regex {regex | class

    Firewall(config-pmap-c)# reset

    Add a note hereMatch: Server banner information with a regular expression

    Add a note hereAction: Reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    username regex {regex | class

    Firewall(config-pmap-c)# reset

    Add a note hereMatch: Username with a regular expression

    Add a note hereAction: Reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    request-command command1 [command2]

    Firewall(config-pmap-c)# reset

    Add a note hereMatch: One or more FTP commands, from the following list: appe (append to a file), cdup (change to the parent directory), dele (delete a file on the server), get (get a file), help (get server help), mkd (create a directory), put (put a file), rmd (remove a directory), rnfr (rename from), rnto (rename to), site (server specific command), or stou (store a file with a unique name). Specify multiple commands by separating them with spaces.

    Add a note hereAction: Reset the connection

    Add a note hereAs well, you can configure an FTP inspection class map with the class-map type inspection ftp ftp_cmap_name command. That inspection class map can contain any of the match commands listed here, along with their associated action commands. The idea is to group match and action commands that might be needed in multiple FTP inspection policies.

    Add a note hereThen you can reference the inspection class map in the inspection policy map with the following command:

    Add a note hereFirewall(config-pmap)# class ftp_cmap_name

    Add a note hereBy referencing the inspection class map in several places, you save yourself the trouble of configuring the same match and action commands again and again.

  3. Add a note hereSet FTP parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the following commands:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note hereFirewall(config-pmap-p)# mask-banner

    Add a note hereMask or obfuscate the server banner

    Add a note here

    Add a note hereFirewall(config-pmap-p)# mask-syst-reply

    Add a note hereHide the server response from the clients

  4. Add a note hereEnable FTP inspection:

    Add a note hereFirewall(config-pmap-c)# inspect ftp [ftp_pmap_name]

    Add a note hereThe inspect ftp command must be entered as an action in a policy map. You can also apply an FTP inspection policy map by giving its name as ftp_pmap_name.

Add a note here As an example, an FTP inspection policy map is configured to reset any connection where the client attempts to use any FTP command other than the read-only CDUP, GET, and HELP commands. As well, the inspection engine will mask any FTP server’s banner so that clients cannot glean any details about the server from it. The following commands can be used to configure the FTP inspection policies:

Add a note hereFirewall(config)# policy-map type inspect ftp MyFTPPolicy
Firewall(config-pmap)# match not request-command cdup get help
Firewall(config-pmap-c)# reset
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# mask-banner
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect ftp MyFTPPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring FTP Inspection—FWSM and ASA 7.0-7.1

Add a note hereFor ASA releases prior to 7.2(1) and FWSM, you can use the following commands to configure FTP inspection and an FTP map:

  1. Add a note hereDefine the FTP map name:

    Add a note hereFirewall(config)# ftp-map ftp_map_name

    Add a note hereThe FTP map is named ftp_map_name (up to 64 characters).

  2. Add a note here(Optional) Deny specific FTP request commands:

    Add a note hereFirewall(config-ftp-map)# deny-request-cmd request_list

    Add a note hereThe firewall drops FTP commands listed in request_list before they reach the server. You can list one or more of the following FTP command keywords, separated by spaces: appe (append to a file), cdup (change to the parent directory), dele (delete a file), get (retrieve a file), help (get help from the FTP server), mkd (make a new directory), put (store a file), rmd (remove a directory), rnfr (rename a file from), rnto (rename a file to), site (a server-specific command), or stou (store a file with a unique name).

  3. Add a note here(Optional) Mask the reply to a syst command:

    Add a note hereFirewall(config-ftp-map)# mask-syst-reply

    Add a note hereAn FTP client can send the syst command to find out which operating system the FTP server uses. When the mask-syst-reply command is used, the firewall masks the server’s reply with Xs so that the information remains hidden.

  4. Add a note hereEnable the FTP inspection engine

    Add a note hereFirewall(config-pmap-c)# inspect ftp [strict [ftp_map_name]]

    Add a note here With the strict keyword, FTP connections will be inspected for compliance with the RFC. If you defined an FTP map, it can be applied here as ftp_map_name.

Add a note hereAs an example, suppose FTP inspection is configured to deny any FTP command operation that would alter files or directories on the FTP server. You could use the following commands to accomplish this purpose:

Add a note hereFirewall(config)# ftp-map MyFTPfilter
Firewall(config-ftp-map)# deny-request-cmd appe dele mkd put rmd rnfr rnto stou
Firewall(config-ftp-map)# exit
Firewall(config)# class-map _MyClass
Firewall(config-cmap)# match any
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class MyClass
Firewall(config-pmap-c)# inspect ftp strict MyFTPfilter
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring GTP Inspection—ASA 7.2(1) and Later

Add a note hereGPRS Tunneling Protocol (GTP) is used to tunnel multiprotocol packets through a General Packet Radio Service (GPRS) network between different GPRS Support Nodes (GSN).

Add a note hereBeginning with ASA 7.2(1), you can enable GTP inspection with an optional inspection policy map. Use the following steps to configure GTP inspection:

  1. Add a note here(Optional) Define a GTP inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect gtp gtp_pmap_name
  2. Add a note hereDefine matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not]
    apn regex {regex | class

    Firewall(config-pmap-c)# {drop | drop-
    connection | reset} [log]

    Add a note hereMatch: Access point name using regular expression.

    Add a note hereAction: Drop the packet, drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match
    [not]message id {message_id | range
    low high}

    Firewall(config-pmap-c)# {drop | drop-
    connection | reset} [log]

    Add a note hereMatch: GTP message ID as a value or range of values 1–255.

    Add a note hereAction: Drop the packet, drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    message length min min_length max

    Firewall(config-pmap-c)# {drop | drop-
    connection | reset}} [log]

    Add a note hereMatch: GTP message length within a range; min_length and max_length are 1–65535; length is GTP header plus body.

    Add a note hereAction: Drop the packet, drop or reset the connection; log optional.

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    version {version_id | low high}

    Firewall(config-pmap-c)# {drop | drop-
    connection | reset}} [log]

    Add a note hereMatch: GTP message version as a value (0–255) or range.

    Add a note hereAction: Drop the packet, drop or reset the connection; log optional.

  3. Add a note hereSet GTP parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the commands shown in the following table:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note hereFirewall(config-pmap-p)# permit errors

    Add a note hereAllow invalid GTP packets.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# permit
    response to-object-group
    to_obj_group_id from-object-group

    Add a note hereAllow GTP responses from GSNs other than the original target, if GSNs are operating as a pool. A pool is defined in a network object group (object-group network obj_group_id).

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# request-queue

    Add a note hereSet the maximum number (default 200) of GTP requests that will be queued while waiting for a response.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# timeout {gsn |
    pdp-context | request | signaling | t3-
    response | tunnel} hh:mm:ss

    Add a note hereSet the inactivity timers as gsn (inactivity time before a GSN is removed), pdp-context (maximum time to begin receiving PDP context), request (maximum time to begin receiving a GTP message), signaling (inactivity time before GTP signaling is removed), t3-response (maximum wait time for a response before GTP connection is removed), or tunnel (inactivity time before GTP tunnel is torn down).

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# tunnel-limit

    Add a note hereSet the maximum number of active GTP tunnels.

  4. Add a note hereEnable GTP inspection:

    Add a note hereFirewall(config-pmap-c)# inspect gtp [gtp_pmap_name]

    Add a note hereThe inspect gtp command must be entered as an action in a policy map. If you have configured a GTP inspection class map, you can identify it here as gtp_pmap_name.

Add a note here As an example, a GTP inspection policy map is configured to drop connections that have GTP messages other than a minimum length of 1 and maximum length of 2048. A GTP tunnel limit of 100 is also enforced. The following commands can be used to configure the GTP policies:

Add a note hereFirewall(config)# policy-map type inspect gtp MyGTPPolicy
Firewall(config-pmap)# match not message length min 1 max 2048
Firewall(config-pmap-c)# drop-connection
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# tunnel-limit 100
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect gtp MyGTPPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring GTP Inspection—FWSM and ASA 7.0-7.1

Add a note hereGPRS Tunneling Protocol (GTP) is used to tunnel multiprotocol packets through a General Packet Radio Service (GPRS) network between different GPRS Support Nodes (GSN).

Add a note hereFollow these steps to configure a GTP map for use with the inspect gtp command:

  1. Add a note hereDefine the GTP map name:

    Add a note hereFirewall(config)# gtp-map gtp_map_name

    Add a note hereThe GTP map is named gtp_map_name (up to 64 characters). You must apply the GTP map in a policy map with the following command before it can be used:

    Add a note here
    inspect gtp gtp_map_name
  2. Add a note here(Optional) Add a GTP map description:

    Add a note hereFirewall(config-gtpmap)# description string

    Add a note hereYou can add an arbitrary text string (up to 200 characters) as a description of the GTP map.

  3. Add a note hereCustomize GTP options.

    Add a note hereYou can use any of the commands listed in Table 7-9 to set a specific GTP inspection parameter in GTP map configuration mode.

Add a note here Table 7-9: Setting GTP Inspection Parameters
Open table as spreadsheet

Add a note hereParameter Description

Add a note hereCommand Syntax

Add a note hereAllows only international mobile system identifier (IMSI) prefixes: Mobile Country Code (mcc_code, three digits) and Mobile Network Code (mnc_code, three digits).

Add a note here

Add a note hereFirewall(config-gtp-map)# mcc mcc_code mnc mnc_code

Add a note hereAllows packets with errors.

Add a note here

Add a note hereFirewall(config-gtp-map)# permit errors

Add a note hereDrops an access point.

Add a note here

Add a note hereFirewall(config-gtp-map)# drop apn access_point_name

Add a note hereDrops a message ID (1 to 256).

Add a note here

Add a note hereFirewall(config-gtp-map)# drop message message_id

Add a note hereDrops the GTP version (0 to 255).

Add a note here

Add a note hereFirewall(config-gtp-map)# drop version version

Add a note hereSets the maximum number of requests to be queued waiting for a response (1 to 4294967295; the default is 200).

Add a note here

Add a note hereFirewall(config-gtp-map)# request-queue max_requests

Add a note herePermits messages within min (1 to 65536) and max (1 to 65536) bytes.

Add a note here

Add a note hereFirewall(config-gtp-map)# message-length min min max max

Add a note herePermits no more than max tunnels (1 to 4294967295; the default is 500).

Add a note here

Add a note hereFirewall(config-gtp-map)# tunnel-limit max

Add a note here For example, the following commands configure a GTP map that allows GTP packets only from Mobile Country Code 310, Mobile Network Codes 001 and 002. All others are dropped. In addition, GTP messages must be between 1 and 2048 bytes in length. Up to 100 GTP tunnels are allowed to pass through the firewall. The GTP map is then applied to the inspect gtp command as part of a policy map.

Add a note hereFirewall(config)# gtp-map Secure_gtp
Firewall(config-gtp-map)# mcc 310 mnc 001
Firewall(config-gtp-map)# mcc 310 mnc 002
Firewall(config-gtp-map)# message-length min 1 max 2048
Firewall(config-gtp-map)# tunnel-limit 100
Firewall(config-gtp-map)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect gtp Secure_gtp
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring H.323 Inspection

Add a note hereBeginning in ASA 7.2(1), you can configure an H.323 application layer inspection engine. This feature tracks H.323 connections, as well as the subsequent H.245 and RTP port numbers and traffic flows.

Add a note hereYou can use the following steps to configure H.323 inspection:

  1. Add a note here(Optional) Define an H.323 inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect h323 h323_pmap_name
  2. Add a note here (Optional) Define any matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    called-party regex {regex | class

    Firewall(config-pmap-c)# {drop | drop-
    connection | reset}

    Add a note hereMatch: Called party.

    Add a note hereAction: Drop the packet, drop the connection, or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    calling-party regex {regex | class

    Firewall(config-pmap-c)# {drop | drop-
    connection | reset}

    Add a note hereMatch: Calling party.

    Add a note hereAction: Drop the packet, drop the connection, or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match media-type
    {audio | video | data}

    Firewall(config-pmap-c)# drop

    Add a note hereMatch: Media type

    Add a note hereAction: Drop the packet

    Add a note hereAs well, you can configure an H.323 inspection class map with the class-map type inspection h323 h323_cmap_name command. That inspection class map can contain any of the match commands listed here, along with their associated action commands. The idea is to group match and action commands that might be needed in multiple H.323 inspection policies.

    Add a note hereThen you can reference the inspection class map in the inspection policy map with the following command:

    Add a note hereFirewall(config-pmap)# class h323_cmap_name

    Add a note hereBy referencing the inspection class map in several places, you save yourself the trouble of configuring the same match and action commands again and again.

  3. Add a note hereSet H.323 parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the following commands:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# call-duration-
    limit {hh:mm:ss | 0}

    Add a note hereSet the call duration time limit or 0 for no limit

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# call-party-

    Add a note hereEnforce sending call party numbers during the call setup

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# h245-tunnel-
    block action {drop-connection |log}

    Add a note hereWhen an H.245 tunnel is detected, either drop the connection or generate a log

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# hsi-group group

    Add a note hereSet the HSI group number

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# rtp-conformance

    Add a note hereMake sure pinhole RTP packets conform to the RFC; use enforce-payloadtype to enforce audio or video, according to signaling

    Add a note here

    Add a note hereFirewall(config-pmap-p)# state-checking

    Add a note hereCheck the state of H.323 connections

  4. Add a note hereEnable H.323 inspection:

    Add a note hereFirewall(config-pmap-c)# inspect h323 [h323_pmap_name]

    Add a note hereThe inspect h323 command must be entered as an action in a policy map. You can also apply an FTP inspection policy map by giving its name as h323_pmap_name.

Add a note hereAs an example, an H.323 inspection policy map is configured to permit only calls from calling parties beginning with the “859555” prefix (4 digits to follow) and to called parties beginning with the “502555” prefix (4 digits to follow). The inspection engine will also require call party numbers to be included during call setup. It will also enforce RFC conformance for the RTP traffic and will track the state of the H.323 connection. The following commands can be used to configure the H.323 inspection engine policies:

Add a note hereFirewall(config)# regex Party1 "859555...."
Firewall(config)# regex Party2 "502555...."
Firewall(config)# policy-map type inspect h323 MyH323Policy
Firewall(config-pmap)# match not calling-party regex Party1
Firewall(config-pmap-c)# drop-connection
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# match not called-party regex Party2
Firewall(config-pmap-c)# drop-connection
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# call-party-numbers
Firewall(config-pmap-p)# rtp-conformance
Firewall(config-pmap-p)# state-checking
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect h323 MyH323Policy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring HTTP Inspection—ASA 7.2(1) and Later

Add a note hereYou can use the following steps to configure the HTTP application layer inspection engine in ASA 7.2(1) or later:

  1. Add a note here(Optional) Define an HTTP inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect http http_pmap_name
  2. Add a note here (Optional) Define any matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    req-resp content-type mismatch

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP content type mismatch

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    request args {regex | class

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP request arguments with a regular expression

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    request body {length gt length |
    regex {regex | class

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP request body length (in bytes) or content (with a regular expression)

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    request header field {count gt
    count | length gt length |
    regex {regex | class regex_cmap_name}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP request header field as a keyword from the list shown in Table 7-10.

    Add a note here count tallies the number of instances (0-127) of the header field, length measures the length (1-32767 characters) of the header field, regex matches against a regular expression.

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    request method method

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP request method type as a keyword from the list shown in Table 7-10.

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    request uri {length gt length | regex
    {regex | class regex_cmap_name}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP request URI field length (1-65535 characters) or context (regular expression)

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    response body {active-x | java-
    applet | length length | regex {regex
    | class regex_cmap_name}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP response body content (ActiveX or Java), body length, or body content (regular expression)

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    response header field {count gt
    count | length gt length | regex
    {regex | class regex_cmap_name}}

    Firewall(config-pmap-c)# {drop-
    connection | reset} [log]

    Add a note hereMatch: HTTP response header field as a keyword from the list shown in Table 7-10.

    Add a note here count tallies the number of instances (0-127) of the header field, length measures the length (1-32767 characters) of the header field, regex matches against a regular expression.

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here

    Add a note hereFirewall(config-pmap)# match [not] response status-line regex {regex | class regex_cmap_name}

    Firewall(config-pmap-c)# {drop-connection | reset} [log]

    Add a note hereMatch: HTTP response status line content (regular expression)

    Add a note hereAction: Drop or reset the connection; log optional

    Add a note here Table 7-10: Keywords for HTTP Match Request/Response Header and Method Commands
    Open table as spreadsheet

    Add a note hereCommand

    Add a note hereAcceptable Keywords

    Add a note here match request header field

    Add a note here accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, count, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, length, max-forwards, non-ascii, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning

    Add a note here match request method method

    Add a note here bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe

    Add a note here match response header field

    Add a note here accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, count, date, eTag, expires, last-modified, length, location, non-ascii, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate

    Add a note hereAs well, you can configure an HTTP inspection class map with the class-map type inspection http http_cmap_name command. That inspection class map can contain any of the match commands listed here, along with their associated action commands. The idea is to group match and action commands that might be needed in multiple HTTP inspection policies.

    Add a note hereThen you can reference the inspection class map in the inspection policy map with the following command:

    Add a note hereFirewall(config-pmap)# class http_cmap_name

    Add a note hereBy referencing the inspection class map in several places, you save yourself the trouble of configuring the same match and action commands again and again.

  3. Add a note hereSet HTTP parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the following commands:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# body-match-
    maximum [size]

    Add a note hereSet the maximum number of characters to search in the body content.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# protocol-
    violation [{drop-connection | reset}

    Add a note hereCheck for HTTP protocol violations; if any are found, drop or reset the connection; log optional

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# spoof-server

    Add a note hereSet the spoof server field to the string text.

  4. Add a note hereEnable HTTP inspection:

    Add a note hereFirewall(config-pmap-c)# inspect http [http_pmap_name]

    Add a note hereThe inspect http command must be entered as an action in a policy map. You can also apply an HTTP inspection policy map by giving its name as http_pmap_name.

Add a note hereAs an example, an HTTP inspection policy map MyHTTPPolicy is used to enforce two policies:

  • Add a note hereDrop connections that have a content type mismatch or a URI length of more than 1024 characters

  • Add a note hereLog but permit connections that return ActiveX or Java applet content

Add a note hereThe policies are configured as two HTTP inspection class maps. The following commands can be used to configure the HTTP inspection policies:

Add a note hereFirewall(config)# class-map type inspect http match-any MyHTTPClass_drop
Firewall(config-cmap)# match req-resp-content-type mismatch
Firewall(config-cmap)# match request uri length gt 1024
Firewall(config-cmap)# exit
Firewall(config)# class-map type inspect http match-any MyHTTPClass_log
Firewall(config-cmap)# match response body active-x
Firewall(config-cmap)# match response body java-applet
Firewall(config-cmap)# exit
Firewall(config)# policy-map type inspect http MyHTTPPolicy
Firewall(config-pmap)# class MyHTTPClass_drop
Firewall(config-pmap-c)# drop-connection
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# class MyHTTPClass_log
Firewall(config-pmap-c)# log
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect http MyHTTPPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring HTTP Inspection—FWSM and ASA 7.0-7.1

Add a note hereHTTP is used to exchange data between a client and a server. Most often, this is used between a client’s web browser and a web server. HTTP is defined in RFC 1945 (HTTP v1.0) and RFC 2616 (HTTP v1.1). The basic HTTP inspection engine (beginning with PIX 6.3 fixup http) performs URL logging and Java and ActiveX filtering and enables the use of Websense or N2H2 for URL filtering.

Add a note hereBeginning with ASA 7.0(1) and FWSM 3.1(1), HTTP application inspection can be enhanced with any of the following criteria:

  • Add a note hereHTTP traffic must conform to RFC 2616 (HTTP 1.1)

  • Add a note hereAllowed message body or content length size

  • Add a note hereMessage content type matches the HTTP header

  • Add a note hereAllowed request and response header size

  • Add a note hereAllowed URI length

  • Add a note hereAllowed use of port 80 for non-HTTP applications

  • Add a note hereAllowed request methods

Add a note hereTo configure enhanced HTTP inspection, you can follow these steps to configure an HTTP map for use with the inspect http command:

  1. Add a note hereDefine the HTTP map name:

    Add a note hereFirewall(config)# http-map http_map_name

    Add a note hereThe HTTP map is named http_map_name (up to 64 characters). The HTTP map must be applied with the following command in a policy map before it can be used:

    Add a note here
    inspect http http_map_name
  2. Add a note here(Optional) Check the message content length:

    Add a note hereFirewall(config-http-map)# content-length {[min minimum] [max maximum]}
    action {allow | drop | reset} [log]

    Add a note here If the HTTP message content is larger than minimum (1 to 65535 bytes) and smaller than maximum (1 to 50,000,000 bytes), it is allowed to pass. If it fails this test, one of the following actions is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereIf the min keyword is omitted, the content length must be less than maximum. If max is omitted, the length must be greater than minimum. You can also use the log keyword to generate Syslog messages based on the action taken.

    Add a note hereYou can configure only one content-length command in an HTTP map.

    Add a note hereFor example, the following commands allow message lengths greater than 256 bytes to pass. Packets smaller than 256 bytes fail the test, triggering the action to reset the TCP connection and generate a Syslog message:

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# content-length min 256 action reset log
    Firewall(config-http-map)# exit
  3. Add a note here(Optional) Verify the message content type:

    Add a note hereFirewall(config-http-map)# content-type-verification [match-req-rsp] action
    {allow | drop | reset} [log]

    Add a note hereEach HTTP message is examined to make sure the content type stated in the HTTP header matches the message’s actual content and that the content is an acceptable type. You can add the match-req-rsp keyword to verify that the content type in each HTTP request header matches the content type returned in the corresponding HTTP response header.

    Add a note here Table 7-11 lists the acceptable content types.

    Add a note here Table 7-11: Acceptable HTTP Message Content Types
    Open table as spreadsheet

    Add a note hereContent

    Add a note hereType

    Add a note hereapplication/

    Add a note heremsword, octet-stream, pdf, postscript,,, x-gzip, x-java-arching, x-java-xm, zip

    Add a note hereaudio/

    Add a note here*, basic, midi, mpeg, x-adpcm, x-aiff, x-ogg, x-wav

    Add a note hereimage/

    Add a note here*, cgf, gif, jpeg, png, tiff, x-3ds, x-bitmap, x-niff, x-portable-bitmap, x-portable-greymap, x-xpm

    Add a note heretext/

    Add a note here*, css, html, plain, richtext, sgml, xmcd, xml

    Add a note herevideo/

    Add a note here*, -flc, mpeg, quicktime, sgi, x-avi, x-fli, x-mng, x-msvideo

    Add a note hereIf all these tests pass, the packet is allowed to pass. If a packet fails the tests, one of the following actions is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereFor example, the following commands allow verified messages to pass. If the verification fails, those packets are also allowed (action allow), but a Syslog message is generated:

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# content-type-verification match-req-rsp action
    allow log
    Firewall(config-http-map)# exit
  4. Add a note here (Optional) Check the header length:

    Add a note hereFirewall(config-http-map)# max-header-length {[request length] [response
    length]} action {allow | drop | reset} [log]

    Add a note hereIf you use the request keyword, the HTTP request header length must be less than length (0 to 65535 bytes). If you use the response keyword, the corresponding HTTP response header must be less than length (0 to 65535 bytes).

    Add a note hereIf a packet fails this test, one of the following actions is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereFor example, the following commands allow HTTP request messages with header lengths of less than 200 bytes. The corresponding HTTP response headers must also be less than 200 bytes. Otherwise, the HTTP connection is reset.

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# max-header-length request 200 response 200
    action reset log
    Firewall(config-http-map)# exit
  5. Add a note here(Optional) Check the Uniform Resource Identifier URI length:

    Add a note hereFirewall(config-http-map)# max-uri-length length action {allow | drop |
    reset} [log]

    Add a note hereThe length of the URI in an HTTP request message must be less than length (1 to 65535) bytes. If its length is greater, one of the following actions is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereFor example, the following commands allow HTTP requests with URIs shorter than 256 bytes to pass. If the URIs are longer, the HTTP connection is reset:

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# max-uri-length 256 action reset log
    Firewall(config-http-map)# exit
  6. Add a note here(Optional) Test for HTTP port cloaking:

    Add a note hereFirewall(config-http-map)# port-misuse {default | im | p2p | tunnelling}
    action {allow | drop | reset} [log]

    Add a note hereHTTP port cloaking is used to transport traffic from a non-HTTP application over the standard HTTP port. These applications appear to use regular HTTP, as if they were web-based applications. The firewall can detect some misuses of the HTTP port by examining the entire contents of each HTTP packet.

    Add a note hereYou can use one of the following keywords to detect a specific tunneling application:

    Add a note hereIf the application is detected, the corresponding action is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereYou can also use the default keyword to define an action to be taken for any HTTP port misuse application that is not one of the keywords listed.

    Add a note hereYou can repeat this command to define multiple applications to detect.

    Add a note hereFor example, the following commands reset connections if a peer-to-peer application, a tunneling application, or any other unrecognized port-cloaking application is detected. Only instant messaging applications are allowed to pass through.

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# port-misuse im action allow
    Firewall(config-http-map)# port-misuse default action reset log
    Firewall(config-http-map)# exit
  7. Add a note here(Optional) Check the HTTP request method:

    Add a note hereFirewall(config-http-map)# request-method {rfc | ext} {method | default}
    action {allow | drop | reset} [log]

    Add a note hereBy default, all HTTP request methods are allowed. You can define a policy for a specific request method based on whether it is a request method defined in RFC 2616 (rfc) or an HTTP extension method (ext).

    Add a note hereFor rfc, you can use one of the following method keywords: connect, delete, get, head, options, post, put, or trace.

    Add a note hereFor ext, you can use one of the following method keywords: copy, edit, getattribute, getattributenames, getproperties, index, lock, mkdir, move, revadd, revlabel, revlog, revnum, save, setattribute, startrev, stoprev, unedit, or unlock.

    Add a note hereYou can also use the default keyword to define an action to be taken for any request method not explicitly configured.

    Add a note hereIf the specified method is detected, the corresponding action is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereYou can repeat this command to define multiple request method policies.

    Add a note here For example, the following commands allow any of the RFC 2616 request methods to pass. If any of the extension’s request methods is detected, the HTTP connection is reset:

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# request-method rfc default action allow
    Firewall(config-http-map)# request-method ext default action reset log
    Firewall(config-http-map)# exit
  8. Add a note here(Optional) Check for RFC 2616 compliance:

    Add a note hereFirewall(config-http-map)# strict-http action {allow | drop | reset}

    Add a note hereBy default, HTTP packets that are not compliant with RFC 2616 are dropped. You can specify a different action to take when noncompliant traffic is detected: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note hereYou can add the log keyword to generate Syslog messages when the action is taken.

    Add a note hereFor example, the following commands allow noncompliant HTTP messages to be forwarded. As an audit trail, Syslog messages are sent when this occurs:

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# strict-http action allow log
    Firewall(config-http-map)# exit
  9. Add a note here(Optional) Check the transfer encoding type:

    Add a note hereFirewall(config-http-map)# transfer-encoding type {type | default}
    action {allow | drop | reset} [log]

    Add a note hereTransfer encoding is used to convert a document into a form that can be transported over HTTP. You can specify a transfer encoding type as one of the keywords listed in Table 7-12.

    Add a note here Table 7-12: Transfer Encoding Types for HTTP
    Open table as spreadsheet

    Add a note hereTransfer Encoding type

    Add a note hereDescription

    Add a note here chunked

    Add a note hereThe message is sent as a series of “chunks”

    Add a note here compress

    Add a note hereUNIX file compression

    Add a note here deflate

    Add a note herezlib format (RFC 1950) and deflate compression (RFC 1951)

    Add a note here gzip

    Add a note hereGNU zip (RFC 1952)

    Add a note here identity

    Add a note hereNo transfer encoding is used

    Add a note hereYou can also use the default keyword to match all transfer encoding types other than the ones you explicitly configure.

    Add a note hereWhen this transfer encoding type is detected in an HTTP message, the specified action is taken: allow the packet to pass, drop the packet, or reset the HTTP connection.

    Add a note here For example, the following commands allow the identity and gzip encodings, and all other types cause the HTTP connection to be reset:

    Add a note hereFirewall(config)# http-map Filter_http
    Firewall(config-http-map)# transfer-encoding type identity action allow
    Firewall(config-http-map)# transfer-encoding type gzip action allow
    Firewall(config-http-map)# transfer-encoding type default action reset log
    Firewall(config-http-map)# exit
    Firewall(config)# class-map _MyClass
    Firewall(config-cmap)# match port tcp eq 80
    Firewall(config-cmap)# exit
    Firewall(config)# policy-map MyPolicy
    Firewall(config-pmap)# class MyClass
    Firewall(config-pmap-c)# inspect http Filter_http
    Firewall(config-pmap-c)# exit
    Firewall(config-pmap)# exit
    Firewall(config)# service-policy MyPolicy interface outside

Configuring ICMP Inspection

Add a note hereInternet Control Message Protocol (ICMP) is used in a variety of ways to test and exchange network parameters between devices. For example, the ping “application” can be used to send echo requests from one host to another; the target host is expected to return echo replies. This tests the hosts’ livelihood and the network’s connectivity.

Add a note hereIn platform releases prior to ASA 7.0(1) and FWSM 3.1(1), a firewall can allow ICMP traffic to pass through, but only if interface access lists are configured to explicitly permit it. As ICMP packets cross from one firewall interface to another, a special ICMP xlate entry is created. However, this xlate is used only to provide the translation—not to provide ICMP inspection. ICMP xlate entries have a fixed idle time of about 30 seconds.

Add a note hereOutbound pings might be allowed, but the return traffic is blocked at the outside interface unless that access list permits it to enter. It becomes difficult to know which outside addresses will return legitimate ICMP traffic, so a permit icmp any any is often added to the outside access list. Obviously, such a broad rule leaves the door open for malicious users to abuse inbound ICMP into a network.

Add a note hereBeginning with FWSM 3.1(1) and ASA 7.0(1), an ICMP inspection engine is available. Rather than explicitly configuring access list rules to permit inbound ICMP traffic, the firewall can selectively (and automatically) permit return traffic based on the original outbound requests.

Add a note hereFor example, as an inside host sends an ICMP echo packet toward an outside host, the firewall builds the ICMP xlate entry. The source and destination addresses are examined, along with the ICMP message type and code, the ICMP identifier, and the ICMP sequence number fields. This forms a five-tuple of information that can be inspected and matched.

Add a note here For example, the following output represents the ICMP xlate entry that was created when inside host (translated to global address sent one ICMP echo request packet to outside host

Add a note here%ASA-6-305011: Built dynamic ICMP translation from inside: to
Firewall# show xlate
5 in use, 12 most used
PAT Global Local ICMP id 512
[output omitted]

Add a note hereHere, /512 and ICMP id 512 represent the inside host’s ICMP identifier field value. During the dynamic address translation, the firewall creates a dynamic ICMP identifier for the outside target. This is shown as /1 and (1) after the address lines.

Add a note hereThe ICMP inspection engine examines return ICMP traffic, looking for packets that are expected in response to a prior request. ICMP is IP protocol 1. It does not include any mechanisms for establishing a connection or tracking the state of a message exchange. The ICMP inspection engine must use the five-tuple of ICMP information gathered from request and response packets to approximate a connection state.

Add a note hereIn fact, after an ICMP xlate is created and a request packet goes out, the firewall creates a special ICMP connection entry apart from the normal conn table entries. The following Syslog message was generated when the special connection was created:

Add a note here%ASA-6-302020: Built ICMP connection for faddr gaddr

Add a note hereFinally, the ICMP inspection engine permits only one response to return for every request that is sent out. The ICMP sequence numbers must also match between a request and a reply packet. With “stateful” ICMP inspection, the ICMP connections and xlate entries can be quickly torn down as soon as the appropriate reply is received.

Add a note hereYou can see this in the following Syslog output, which resulted from one ICMP echo request packet being sent from inside host (translated to global address to outside host (Message ID 711001 was produced because the debug icmp trace command was also used.)

Add a note here%ASA-6-609001: Built local-host outside:
%ASA-6-305011: Built dynamic ICMP translation from inside: to
%ASA-6-302020: Built ICMP connection for faddr gaddr
%ASA-7-711001: ICMP echo request (len 32 id 512 seq 25344) >
%ASA-7-711001: ICMP echo reply (len 32 id 2 seq 25344) >
%ASA-6-302021: Teardown ICMP connection for faddr gaddr
%ASA-6-609002: Teardown local-host outside: duration 0:00:00

Add a note hereThe time from when the xlate entries were first created until the ICMP connection entry was deleted and the xlates torn down is shown to be 0:00:00 (less than 1 second)! The ICMP inspection engine allows the connectionless and stateless ICMP protocol to be used through a firewall while maintaining a high level of security.

Add a note hereBy default, ICMP inspection is not enabled. To enable it, you can add the following command to a policy map as an action:

Add a note hereFirewall(config-pmap-c)# inspect icmp

Add a note hereFor example, you might want to add ICMP inspection to the default service policy that is applied to all firewall interfaces. To do so, you only need to add the inspect icmp command to the default global_policy policy map that is already defined. This policy map is already applied as a global service policy, so you do not need to define it separately. You can use the following commands to add the inspection to the default policy map:

Add a note hereFirewall(config)# policy-map global_policy
Firewall(config-pmap)# class inspection_default
Firewall(config-pmap-c)# inspect icmp
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit

Add a note hereBy default, ICMP inspection does not permit any ICMP error packets to return through an address translation. This is because an ICMP error message can be sent from an address other than the original ICMP target. For example, if the IP time-to-live (TTL) value expires on an ICMP echo request that was sent to an outside host, an intervening router sends an ICMP error message back to the inside host. That packet uses the router’s own IP address as the source address—not the ICMP echo target host’s address.

Add a note hereWhen a router replies with an ICMP error packet, it must also include the first 64 bytes of the original IP packet as the error message payload. When a host receives the error packet, it can look inside the payload to see the original source and destination addresses, protocol, port numbers, and so on.

Add a note hereYou can use the following command to enable ICMP error processing as part of the ICMP inspection:

Add a note hereFirewall(config-pmap-c)# inspect icmp error

Add a note hereNow the firewall examines ICMP error packet payloads to find the original packet details. If it can match those to known ICMP “connections” and xlate entries, it can work out the address translation and permits the ICMP error packet to reach the original sender.

Configuring Instant Messaging (IM) Inspection

Add a note hereBeginning in ASA 7.2(1), you can configure an application layer inspection engine that enforces policies related to instant messaging applications. Use the following steps to configure and tune the IM inspection engine:

  1. Add a note here(Optional) Define an IM inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect im im_pmap_name
  2. Add a note here (Optional) Define any matching conditions and their actions:

    Open table as spreadsheet

    Add a note hereMatch and Action Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    filename regex {regex | class

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: Filename in file transfer (except MSN Messenger)

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] ip-
    address ip_address subnet_mask

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: Client IP address

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] login-
    name regex {regex | class regex_cmap_name}

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: Client’s IM login name

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] peer-
    ip-address ip_address subnet_mask

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: Peer IP address (client or server)

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not] peer-
    login-name regex {regex | class

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: Peer’s IM login name (client only)

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    protocol [msn-im] [yahoo-im]

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: IM protocol

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    service {chat | conference | file-transfer
    | games | voice-chat | webcam}

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: IM service

    Add a note hereAction: Drop or reset the connection

    Add a note here

    Add a note here
    Firewall(config-pmap)# match [not]
    version regex {regex | class

    Firewall(config-pmap-c)# {drop-connection
    | reset}

    Add a note hereMatch: IM file transfer service version

    Add a note hereAction: Drop or reset the connection

    Add a note here As well, you can configure an IM inspection class map with the class-map type inspection im im_cmap_name command. That inspection class map can contain any of the match commands listed here, along with their associated action commands. The idea is to group match and action commands that might be needed in multiple IM inspection policies.

    Add a note hereThen you can reference the inspection class map in the inspection policy map with the following command:

    Add a note hereFirewall(config-pmap)# class im_cmap_name

    Add a note hereBy referencing the inspection class map in several places, you save yourself the trouble of configuring the same match and action commands again and again.

    Add a note hereThere are no parameters to set for the IM inspection policy map.

  3. Add a note hereEnable IM inspection:

    Add a note hereFirewall(config-pmap-c)# inspect im [im_pmap_name]

    Add a note hereThe inspect im command must be entered as an action in a policy map. You can also apply an FTP inspection policy map by giving its name as pmap_name.

Add a note hereAs an example, an IM inspection engine policy is configured to reset connections when clients attempt to transfer files with “.exe” in their names. As well, webcam services are prevented by resetting the connections. The following commands can be used to configure the IM inspection policies:

Add a note hereFirewall(config)# regex IMblock1 ".*\.exe"
Firewall(config)# policy-map type inspect im MyIMPolicy
Firewall(config-pmap)# match filename regex IMblock1
Firewall(config-pmap-c)# reset
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# match service webcam
Firewall(config-pmap-c)# reset
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect im MyIMPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring IPSec Passthru Inspection

Add a note hereBeginning with ASA 7.2(1), a firewall can be configured to inspect IPSec tunnels that pass through it. Because the IPSec tunnels do not terminate on the firewall directly, the firewall is not able to inspect the traffic in any detail.

Add a note hereInstead, the tunneled traffic is likely encrypted and secured; the firewall can only monitor the number of tunnels passing through to individual client IP addresses and the amount of time the tunnels have been idle.

Add a note here You can use the following steps to configure IPSec Passthru inspection in ASA 7.2(1) or later:

  1. Add a note here(Optional) Define an IPSec Passthru inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect ipsec-pass-thru ipsec_pmap_name

    Add a note hereNo matching conditions need to be configured for this inspection engine.

  2. Add a note hereSet IPSec Passthru parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the following commands:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# ah [per-
    client-max number] [timeout hh:mm:ss]

    Add a note hereSet the maximum number of AH mode tunnels allowed from any one client (per-client-max, 0–65,535) or the tunnel idle timeout (timeout).

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# esp [per-
    client-max number] [timeout hh:mm:ss]

    Add a note hereSet the maximum number of ESP mode tunnels allowed from any one client (per-client-max, 0–65,535) or the tunnel idle timeout (timeout).

  3. Add a note hereEnable IPSec Passthru inspection:

    Add a note hereFirewall(config-pmap-c)# inspect ipsec-pass-thru [ipsec_pmap_name]

    Add a note hereThe inspect ipsec-pass-thru command must be entered as an action in a policy map. You can also apply an IPSec Passthru inspection policy map by giving its name as ipsec_pmap_name.

Add a note hereAs an example, an IPSec Passthru policy map is configured to enforce an idle timeout of 12 hours on client ESP tunnels passing through the firewall. The following commands can be used to configure the IPSec Passthru policy and inspection engine:

Add a note hereFirewall(config)# policy-map type inspect ipsec-pass-thru MyIPsecPolicy
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# esp timeout 12:00:00
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect ipsec-pass-thru MyIPsecPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring MGCP Inspection—ASA 7.2(1) and Later

Add a note hereMedia Gateway Control Protocol (MGCP) is used by call agents to control media gateways (devices that convert telephone circuit audio to data packets). A firewall’s MGCP inspection engine can monitor the “pinholes” or connections that are built as call agents and gateways communicate.

Add a note here You can use the following steps to configure MGCP inspection in ASA 7.2(1) or later:

  1. Add a note here(Optional) Define an MGCP inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect mgcp mgcp_pmap_name

    Add a note hereNo matching conditions need to be configured for the MGCP inspection engine.

  2. Add a note hereSet MGCP parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the commands shown in the following table:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# call-agent
    ip_address group_id

    Add a note hereSet the IP address and call group ID of the call agents that can manage gateways in the same group.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# gateway
    ip_address group_id

    Add a note hereSet the IP address and call group ID of a gateway that can be controlled by a call agent in the same group.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# command-queue

    Add a note hereSet the maximum number of queued MGCP messages until a response is received.

  3. Add a note hereEnable MGCP inspection:

    Add a note hereFirewall(config-pmap-c)# inspect mgcp [mgcp_pmap_name]

    Add a note hereThe inspect mgcp command must be entered as an action in a policy map. You can also apply an FTP inspection policy map by giving its name as pmap_name.

Add a note hereAs an example, an MGCP inspection policy map is configured to control which call agents can manage which gateways. Call agents and can manage gateways and Call agents and can manage gateways and The following commands can be used to configure the MGCP inspection engine policies:

Add a note hereFirewall(config)# policy-map type inspect mgcp MyMGCPPolicy
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# call-agent 10
Firewall(config-pmap-p)# call-agent 10
Firewall(config-pmap-p)# call-agent 20
Firewall(config-pmap-p)# call-agent 20
Firewall(config-pmap-p)# gateway 10
Firewall(config-pmap-p)# gateway 10
Firewall(config-pmap-p)# gateway 20
Firewall(config-pmap-p)# gateway 20
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect mgcp MyMGCPPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring an MGCP Map—FWSM and ASA 7.0-7.1

Add a note hereMedia Gateway Control Protocol (MGCP) is used by call agents to control media gateways (devices that convert telephone circuit audio to data packets).

Add a note hereYou can follow these steps to configure an MGCP map for use with the inspect mgcp command:

  1. Add a note hereDefine the MGCP map name:

    Add a note hereFirewall(config)# mgcp-map mgcp_map_name

    Add a note hereThe MGCP map is named mgcp_map_name (up to 64 characters). You must apply the MGCP map in a policy map with the following command map before it can be used:

    Add a note here
    inspect mgcp mgcp_map_name
  2. Add a note hereCustomize MGCP options:

    Add a note hereYou can use any of the commands listed in Table 7-13 to set a specific MGCP inspection parameter in MGCP map configuration mode.

Add a note here Table 7-13: Setting MGCP Inspection Parameters
Open table as spreadsheet

Add a note hereParameter Description

Add a note hereCommand Syntax

Add a note hereDefines a call agent (ip_address) as part of a group (group_id, 0 to 4294967295).

Add a note here

Add a note hereFirewall(config-mgcp-map)# call-agent
ip_address group_id

Add a note herePermits call agents in a group (group_id, 0 to 4294967295) to manage the gateway at ip_address.

Add a note here

Add a note hereFirewall(config-mgcp-map)# gateway
ip_address group_id

Add a note hereSets the maximum number of requests to be queued waiting for a response (1 to 4294967295; the default is 200).

Add a note here

Add a note hereFirewall(config-mgcp-map)# command-queue

Add a note hereFor example, suppose an MGCP map is configured to allow call agents at and to control the gateway at Those call agents are defined as group 1. The call agents at and are defined as group 2 and are allowed to control a different gateway at The MGCP map is then applied to the inspect mgcp command in a policy map. The following commands are used:

Add a note hereFirewall(config)# mgcp-map MyMGCPMap
Firewall(config-mgcp-map)# call-agent 1
Firewall(config-mgcp-map)# call-agent 1
Firewall(config-mgcp-map)# gateway 1
Firewall(config-mgcp-map)# call-agent 2
Firewall(config-mgcp-map)# call-agent 2
Firewall(config-mgcp-map)# gateway 2
Firewall(config-mgcp-map)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect mgcp MyMGCPMap
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring NetBIOS Inspection

Add a note hereThe NetBIOS Name Service (NBNS) is a protocol that is used to resolve NetBIOS names to IP addresses. A firewall can inspect NBNS traffic to update embedded IP addresses according to any active address translations. The inspection engine can also monitor the NetBIOS exchanges, to make sure everything follows the RFC that defines NetBIOS.

Add a note hereYou can use the following steps to configure NetBIOS inspection in ASA 7.2(1) or later:

  1. Add a note here(Optional) Define an NetBIOS inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect netbios netbios_pmap_name

    Add a note hereNo matching conditions need to be configured for the NetBIOS inspection engine.

  2. Add a note hereSet NetBIOS parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the commands shown in the following table:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# protocol-
    violation action [drop] log

    Add a note hereIf NetBIOS packets are found to be violating the RFC, drop the connection and/or log it.

  3. Add a note hereEnable NetBIOS inspection:

    Add a note hereFirewall(config-pmap-c)# inspect netbios [netbios_pmap_name]

    Add a note hereThe inspect netbios command must be entered as an action in a policy map. You can also apply a NetBIOS inspection policy map by giving its name as pmap_name.

Configuring RADIUS Accounting Inspection

Add a note hereRADIUS is a protocol that can be used for user authentication, authorization, and to keep an audit trail of user accounting information. Beginning in ASA 7.2(1), the ASA platform has an application layer inspection engine for RADIUS accounting traffic.

Add a note here It is important to maintain the integrity of RADIUS accounting because it usually contains a record of customer activity for billing purposes.

Add a note hereYou can use the following steps to configure RADIUS accounting inspection in ASA 7.2(1) or later:

  1. Add a note here(Optional) Define a RADIUS accounting inspection policy map:

    Add a note hereFirewall(config)# policy-map type inspect radius-accounting radius_pmap_name

    Add a note hereNo matching conditions need to be configured for the RADIUS accounting inspection engine.

  2. Add a note hereSet RADIUS accounting parameters:

    Add a note hereFirewall(config-pmap)# parameters

    Add a note hereFirst, enter the parameters mode and then configure one or more parameters with the following commands:

    Open table as spreadsheet

    Add a note hereParameter Command Syntax

    Add a note hereDescription

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# host hostname
    [key key_string]

    Add a note hereIdentify a RADIUS host that will be inspected; hostname can be IP address or a hostname string; key_string can be up to 128 characters long.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# send response

    Add a note hereSend a RADIUS Accounting-Response Start and Stop messages to the sender of the respective request messages.

    Add a note here

    Add a note here
    Firewall(config-pmap-p)# timeout users

    Add a note hereSet an inactivity timer for RADIUS accounting users; a timeout of 0:0:0 will tear down the RADIUS accounting connection immediately.

    Add a note here

    Add a note hereFirewall(config-pmap-p)# validate-
    attribute attribute_number

    Add a note hereValidate the RADIUS accounting attribute number (1–191) when it appears in messages. Vendor Specific Attributes (VSA) are not supported.

  3. Add a note hereEnable RADIUS accounting inspection:

    Add a note hereFirewall(config-pmap-c)# inspect radius-accounting [radius_pmap_name]

    Add a note hereThe inspect radius-accounting command must be entered as an action in a policy map. You can also apply a RADIUS accounting inspection policy map by giving its name as pmap_name.

Add a note hereAs an example, a RADIUS accounting inspection policy is configured to identify the RADIUS host at using the secret key “BigSecretKey”. The inspection engine will always send a Start and Stop message back to the requester, ensuring that the accounting records are not spoofed to exploit spoofing of billing records.

Add a note hereFirewall(config)# policy-map type inspect radius-accounting MyRADIUSPolicy
Firewall(config-pmap)# parameters
Firewall(config-pmap-p)# host key BigSecretKey
Firewall(config-pmap-p)# send response
Firewall(config-pmap-p)# exit
Firewall(config-pmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class class-default
Firewall(config-pmap-c)# inspect radius-accounting MyRADIUSPolicy
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

Configuring SNMP Inspection

Add a note hereSimple Network Management Protocol (SNMP) is used to monitor and manage devices with an SNMP agent from a management station. By default, all versions of SNMP are allowed to pass through a firewall, as long as SNMP itself (UDP port 161) is permitted.

Add a note hereYou can use the following steps to configure enhanced SNMP inspection, which allows specific versions of SNMP to be denied. For example, SNMPv1 has no mechanisms for security, so your network security policies might not allow that type of traffic to be used.

Add a note hereAn SNMP map is used with the inspect snmp command to define additional parameters for inspection.


Add a note hereBeginning with ASA 7.2(1), most of the application layer inspection engines switched to an MPF-based configuration, using the policy-map type inspect command to configure inspection options. The SNMP inspection engine did not follow that model; instead, it is configured using the snmp-map command.

  1. Add a note hereDefine the SNMP map name:

    Add a note hereFirewall(config)# snmp-map snmp_map_name

    Add a note hereThe SNMP map is named snmp_map_name (up to 64 characters).

  2. Add a note hereDeny a specific SNMP version:

    Add a note hereFirewall(config-snmp-map)# deny version {1 | 2 | 2c | 3}

    Add a note hereYou can repeat this command to deny more than one SNMP version.

  3. Add a note hereEnable SNMP inspection:

    Add a note hereFirewall(config-pmap-c)# inspect snmp snmp_map_name

    Add a note hereThe inspect snmp command must be entered as an action in a policy map. You can also apply an SNMP inspection map by giving its name as snmp_map_name.

Add a note here For example, the following commands define an snmp-map that denies packets using SNMP versions 1 and 2 during SNMP inspection. The SNMP map is then applied to the inspect snmp command in a policy map.

Add a note hereFirewall(config)# snmp-map Filter_snmp
Firewall(config-snmp-map)# deny version 1
Firewall(config-snmp-map)# deny version 2
Firewall(config-snmp-map)# exit
Firewall(config)# class-map _MyClass
Firewall(config-cmap)# match any
Firewall(config-cmap)# exit
Firewall(config)# policy-map MyPolicy
Firewall(config-pmap)# class MyClass
Firewall(config-pmap-c)# inspect snmp Filter_snmp
Firewall(config-pmap-c)# exit
Firewall(config-pmap)# exit
Firewall(config)# service-policy MyPolicy interface outside

No comments:

Post a Comment