6-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 Getting Started with Application Layer Protocol Inspection
Configure Application Layer Protocol Inspection
Where
global
applies the policy map to all interfaces, and
interface
applies the policy to one interface.
By default, the default policy map, “global_policy,” is applied globally. Only one global policy is
allowed. You can override the global policy on an interface by applying a service policy to that interface.
You can only apply one policy map to each interface.
Choosing the Right Traffic Class for Inspection
The default Layer 3/4 class map for through traffic is called “inspection_default.” It matches traffic using
a special
match
command,
match default-inspection-traffic
, to match the default ports for each
application protocol. This traffic class (along with
match any
, which is not typically used for inspection)
matches both IPv4 and IPv6 traffic for inspections that support IPv6. See
for a list of IPv6-enabled inspections.
You can specify a
match
access-list
command along with the
match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the
match
default-inspection-traffic
command specifies the ports to match, any ports in the ACL are ignored.
Tip
We suggest that you only inspect traffic on ports on which you expect application traffic; if you
inspect all traffic, for example using
match any
, the ASA performance can be impacted.
If you want to match non-standard ports, then create a new class map for the non-standard ports. See
Default Inspections and NAT Limitations, page 6-6
for the standard ports for each inspection engine.
You can combine multiple class maps in the same policy if desired, so you can create one class map to
match certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class. To enable SNMP inspection, enable SNMP inspection for the default class. Do not add another
class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter
the following commands:
hostname(config)#
access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
hostname(config)#
class-map inspection_default
hostname(config-cmap)#
match access-list inspect
View the entire class map using the following command:
hostname(config-cmap)#
show running-config class-map inspection_default
!
class-map inspection_default
match default-inspection-traffic
match access-list inspect
!
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an ACL that specifies the
ports, and assign it to a new class map:
hostname(config)#
access-list ftp_inspect extended permit tcp any any eq 21
hostname(config)#
access-list ftp_inspect extended permit tcp any any eq 1056
hostname(config)#
class-map new_inspection
hostname(config-cmap)#
match access-list ftp_inspect
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...