Understanding Modular Policy Framework-Packetflow

11/22/2015
UnderstandingModularPolicyFramework
BlogHome|INEHome|Members|ContactUs|Subscribe
FreeResources
ViewArchives
AllAccessPass
CCIEBloggers
Apr
19
17Comments
PostedbyPetrLapukhov,4xCCIE/CCDEinPIX/ASAFirewall
ModularPolicyFramework(MPF)configurationdefinessetofrulesforapplyingfirewallfeatures,
suchastrafficinspection,QoSetc.tothetraffictransitingthefirewall.MPFhasmanysimilarities
toMQC(ModularQoSCLI)syntaxfoundinCiscoIOS,buttherearesomemajordifferencesin
theflowofoperations,eventhoughmanycommandslookthesame.Thefollowingpostassumes
basicunderstandingofASAfirewallanditsconfiguration.ItcoversthebasiclogicoftheMPF,but
doesnotgooverallfirewallfeaturesindepth.
TrafficFlowthroughtheFirewall
ASAisacomplicatedpieceofhardwareandsoftware,justlikeanystatefulfirewall.However,for
thepurposeofunderstandingtheMPFitisenoughtousethefollowingsimplifiedpacketflow
checklist:
1. Seeifpacketmatchesaflowintheconnectiontableifso,skipto(4).Thismeanspackets
matchingexistingstatesbypasstheACLchecks
2. Findegressinterface,droppacketifegressinterfacecannotbefound.Twooptions:
1. PacketsdestinationaddressmatchesexistingXLATEstateorSTATICNATstatement.
ThisiscommonwhenyouuseoutsideNAT.Egressinterfaceisdeterminedfromthe
NATentry.
2. PerformroutelookuponthedestinationIPaddresstofindegressinterface
3. Matchinputaccesslistontheingressinterface.UsetheORIGINALdestinationIPaddress,
nottheuntranslatedIPformatching
4. MatchflowagainstinputQoSpolicy(interfaceorglobalpolicy,whereinterfacepolicytakes
precedence)
5. ApplysourceNATifXLATEstatedoesnotexistandthereismatchingNATrule.Usethe
followingorderofoperations:
1. NATexemption,configurationusingthecommandnat(interface)0accesslist
2. FirstmatchingSTATICNATorPAT,withNATtakingprecedence.Ifmultipleentries
matchthepacket,selectthefirstone.
3. DynamicNATentriesconfiguredusingthecommandnat(interface)[ID]accesslist
http://blog.ine.com/2009/04/19/understandingmodularpolicyframework/
1/13
11/22/2015
4. DynamicNATentriesconfiguredusingthecommandnat(interface)[ID][network]
[mask].If[ID]=0thenidentityXLATEsarecreated
6. ApplyegressQoSpolicy(outputpolicing,interfaceorglobal)
7. Createorupdateflowinformation
8. LookupoutputegressinterfaceinroutingtablebasedondestinationIP.Findoutthenext
hop,whichshouldbeontheSAMEinterfaceasXLATEpointsto,ifXLATE/STATICwas
usedatstep(2).ThisrouteshouldnotnecessarilybetheLONGESTmatch,justany
matchingrouteoutofselectedinterface.
Itisimportanttonoticetwoimportantthings:firstly,theaddressesyoushoulduseintheaccess
listsaresupposedtobepreNATaddressesorinotherwordsjustasthepacketoriginatorsees
them.Secondly,payattentiontotheconceptofXLATEbasedroutingthatASAuses.This
conceptrequiresspecialattention.
WhatisthepointofpinninganegressinterfacetoaNATentry?Thereasonbeingthefactthatif
thereexistsanXLATEentry,thenmorelikelytherearetrafficflowsusingit.Thereforeitis
desirablepinningtraffictothesameinterfacethatwasusedforXLATEcreationotherwise
trafficmaymatchdifferentNATruleandtheconnectionwillbebroken.Thisiswhythefirewall
attemptsfindingtheegressinterfaceusingtheXLATEfirst.However,whathappensiftheroute
hasflappedandtheuntranslatedaddressisnowreachableviaadifferentinterface?Thefirewall
willstillperformaroutelookupusingallroutesthatareboundtotheoriginalinterfaceandtry
findingamatch.Ifamatchisfound,itisusedtofindoutthenexthopandroutepacketout.Ifnot,
thepacketisdropped.Lookatthefollowingconfigurationsample:
static(outside,inside)180.9.59.1180.9.1.1
!
routeoutside0.0.0.00.0.0.0180.9.29.21
routeDMZ180.9.1.1255.255.255.255192.10.9.254
HerepacketsgoingfrominsidetooutsidetowardtheIPaddress180.9.59.1aredestination
untranslatedtotheIPaddress180.9.1.1.ThisIPisstaticallyroutedovertheDMZinterface,but
thefirewallwillonlychecktheroutesboundtotheoutsideinterfaceandusethedefaultrouteto
routethepacketto180.9.1.1.Inthissituation,eventhoughthespecificstaticrouteisnotcorrect,
theNATboundegressinterfacedecisionallowstraffictoflowcorrectly.
TrafficClassification
EveryMPFrulehasascopesubsetoftrafficthattheruleappliestoandactionfeatureora
setoffeaturestriggeredbythisrule.InASAfirewall,L3/L4classmapsareusedtospecifythe
trafficforarule.Thefollowingisthelistofthemotcommonclassificationcriteria:
AccessList.Mosttypicalandveryflexiblecriterion,allowsmatchingbased
source/destinationIPaddresses,portnumbers,protocolsandsooneverythingyoucan
putinanACL.Example:
accesslistBGPpermittcphost150.1.1.1anyeqbgp
accesslistBGPpermittcpanyeqbgphost150.1.1.1
!
classmapBGP
matchaccessgroupBGP
Portnumbers/range.Withoutconfiguringanaccesslist,youcanspecifyTCP/UDPport
numberstobematchedbytheclassmap,suchasfollows:
classmapPORTS
matchporttcprange100200
TunnelGroupname.Allowsmatchingthetrafficforaparticulartunnelgroupinthefirewall.
ThefirewallwilldynamicallytrackVPNtunnelscreatedforthisgroupandclassifytraffic
accordingly.
2/13
11/22/2015
classmapTUNNEL_GROUP
matchtunnelgroupTEST
Inadditiontospecifyingthematchtunnelgroupcriterion,youcanalsoconfigureone
additionalmatchstatement.Youareallowedanyadditionalcriterionwithexcepttomatch
anyormatchaccesslistormatchdefaultinspectiontraffic.Forexamplethefollowing
configurationissupposedtomatchVoIPtrafficwithintheVPNtunnel,providedthatVoIP
packetsaremarkedwithDSCPvalueofEF.
classmapVPN_VOICE
matchdscpef
Perflowclassificationcriterionconfiguredusingthematchflowipdestinationaddress.
Thisonecouldbeusedonlyalongwiththematchtunnelgroupcommand.When
configured,ittrackseveryVPNconnectionseparatelyandappliestheconfiguredactionper
flow,nottoallVPNtrafficatthesametime.ThisisparticularlyusefulforRemoteAccess
VPNconnections,wheremultipleusersconnectiontothefirewallunit.Noticethatyoucan
applytheQoSpolicingfeatureonlyperflow,whenclassifyingbasedontunnelgroupnames.
Example:
classmapVPN_FLOWS
matchflowipdestinationaddress
Matchingthedefaultclassificationtraffic.Thisisspecialintelligenttypeofclassification
usedexclusivelywithinspectaction.ItmatchestrafficonthedefaultportnumbersforALL
availableinspectionengines.ForexampleitwillmatchFTPtrafficonport21,HTTPonport
80,DNSonport53andsoon.Asmentioned,theonlysupportedfeaturewiththis
classificationtypeistrafficinspection.
Otherclassificationcriteriasuchasmatchdscpandmatchrtp.Thoseallowmatching
basedontheDSCPvalueinIPpacketheadersandmatchingbasedonRTPportrange.
Asyounoticed,atypicalclassmapwillonlysupportONEmatchcommand.Theonly
exceptionistheuseofmatchtunnelgroupalongwithsomeothermatchcommands.
ApplyingFeaturesinPolicyMaps
Afteryoudefinedtrafficclasses,youmayconfigureMPFrulesusingregularpolicymap.Wecall
themregular,astherearespecialinspectionpolicymaps,usedtodefineinspectionsettingsand
parameers.RegularpolicymapsattachactionstoL3/L4classesusingthefollowingsyntax:
policymap<NAME>
class<CLASS1>
<feature1>
class<CLASS2>
<feature2>
Thelistoftheapplicablefirewallfeaturesfollows:
1. QoSinputpolicing.Appliestotrafficenteringthefirewall,enforcestrafficrate.Configured
usingthecommandpoliceinput|underthepolicymap.
2. TCPnormalization.TCPandUDPconnectionlimitsandtimeouts,andTCPsequence
numberrandomization.PerformsTCPconnectionmodificationandmonitoringtoenforce
securitysettings.Configuredusingthecommandsetconnectionandapreconfiguredtcp
mapwiththeadvancedTCPparameters.
3. CSC(ifinstalled).Contentsecurity.
4. Applicationinspection(multipletypes).Thecoreofthestatefulfirewall.Parsestraffic
streamsanddetectsapplicationprotocolsandtheircommands.Allowsenforcingper
applicationsecuritypolicies.Thecommandtoapplyinspectionisinspect{protocolname}.
3/13
11/22/2015
Couldbefinetunedusinginspectionpolicymaps.
5. IPS(ifinstalled).IntrusionpreventionallowsthefirewalltoworkasaninlineIPS.
6. QoSoutputpolicing.Appliestotrafficleavingthefirewall,enforcesspecifiedrate.The
commandispoliceoutput
7. QoSinterfacepriorityqueue.Servicestrafficusingtheinterfacelevellowlatencyqueue.
Configuredusingthecommandpriority.Couldnotbeappliedalongwithpolicingfeature.
8. QoStrafficshaping,hierarchicalpriorityqueue.Mutuallyexclusivewithanyotherinterface
levelQoSfeatures.Trafficshapingcouldbeonlyappliedunderclassdefault
Therecouldbeasituationwhenapacket/flowmatchesmultipleclasseswithinthesamepolicy
map.Forexample,withthefollowingconfiguration
classmapFTP
matchporttcpeq21
!
accesslistTCPpermittcpanyany
!
classTCP
matchaccesslistTCP
!
policymap
classdefaultinspectiontraffic
inspectftp
classFTP
setconnectionconnmax100
classTCP
policeinput150000
FTPpacketswouldmatchallthreeclassesatthesametime.Thequestionis:whatactionshould
thefirewallapplytothisflow?Theruleofthumbtoresolveconflictsinsituationslikethatisas
follows:
1. Foragivenfeaturetype,theflowcanmatchonlyoneclass,basedontheordertheclasses
areconfigureinthepolicymap.Inourexample,theTCPconnectionlimitsaresetfor
classesFTPandTCP,bothmatchedbytheflowinquestion.SinceFTPprecedes
TCPtheTCPconnectionlimitissetbasedonFTPclass.
2. Ifthepacketflowmatchesmultipleclasseswithdifferentfeaturetypes(e.g.QoSand
inspection),thenfeatureactionsfromallclassesarecombinedprovidedthattheyarenot
conflicting.Inourexample,FTPflowwillbeinspected,limitedto100connectionsand
policedingressto150Kbps.
Thenextquestionis:ifthemultiplefeaturesarecombinedtogether,whatistheordertheyare
appliedtotheflow?Itdoesnotdependontheorderoftheclassmapwithinthepolicymap.The
actionsareappliedinsequence,inthesameordertheyarepresentedinthelistabove.Inour
example,theflowisfirstpoliced,thennormalizedandtheninspected.Noticethatsomefeatures
maydroppackets(suchaspolicing)ormodifythetrafficcontents(e.g.TCPnormalizationor
inspection).
LevelsandDirections
Policymapcouldbeappliedgloballyorperinterface.Therecouldbeonlyoneglobalpolicymap
andonepolicymapappliedperinterface.Thequestionis:howthosemapsarecombinedtobuild
theresultingsetofMPFrules?Whentrafficgoesacrossthefirewall,thesystemdeterminesthe
ingressandegressinterfacesfortheflowbasedontheroutingtableandxlateentries.The
systembuildsthelistofclassesmatchedbytheflowbasedonthefeaturedirectionforevery
classconfiguredunderthepolicymaps.HereisthetablefromtheDocCD:
4/13
11/22/2015
Feature
Inspection
CSC
IPS
QoSInputPolicing
QoSOutputPolicing
QoSInterfaceLevelPQ
QoSShaping,HierarchicalPQ
TCPNormalization,ConnectionLimits,ISN
randomization
InterfaceLevel
Direction
Bidirectional
Bidirectional
Bidirectional
Ingress
Egress
Egress
Egress
GlobalPolicy
Direction
Ingress
Ingress
Ingress
Ingress
Egress
Egress
N/A
Bidirectional
Ingress
Howtoreadthistable?LetstaketheTCPNormalizationfeatureforexample.Supposeitis
configuredattheinterfacelevel.Then,basedonitsbidirectionalbehavior,packetsenteringand
leavingtheinterfacewillbesubjecttonormalizationprocess,providedthattheymatchthe
respectiveclassmap.Takeanotherexample.IfyouhaveconfiguredFTPtrafficinspectionatthe
interfacelevellikethis:
accesslistFTP_FROM_INSIDE
permittcp10.0.0.0255.255.255.0anyeq21
!
classmapFTP_FROM_INSIDE
matchaccesslistFTP
!
policymapINSPECTION
classFTP_FROM_INSIDE
setconnectionmaxconn100
inspectftp
ThenbothfeaturesapplyonlytoFTPtrafficgoingfromtheinsidenetwork10.0.0.0/24tothe
outsideonport21.Thetraffictotheinsidenetworkonport21isnotinspectednorlimited,even
thoughfeaturesarebidirectional,asitdoesnotmatchtheaccesslist.Toinspecttrafficbi
directionallyyouneedtheaccesslist
accesslistFTP_FROM_INSIDE
permittcp10.0.0.0255.255.255.0anyeq21
permittcpany10.0.0.0255.255.255eq21
OK,thatlooksreasonableenough.Nowwhatshouldthefirewalldoifapacket/flowmatches
multipleclassesinlevelpolicymapsappliedatdifferentlevels(i.e.interfaceandglobal)?Hereis
howtheconflictsareresolved:
1. Ifthereisafeaturedefinedintheinterfacelevelpolicymapandglobalpolicymap,andthe
flowmatchesbothclasses,theinterfacelevelsettingstakeprecedence.Forexample,ifthe
interfacelevelclassmapFTPsetsconnectionlimitto100andtheglobalpolicysetthelimit
to200,theresultinglimitforFTPtrafficis100.
2. Iftheflowmatchesclassesattheinterfacelevelandglobalpolicymapsandtheclasses
havedifferentfeaturesconfigured(e.g.inspectandpolicing)thenactionsarecombined.The
orderthatthefeaturesareappliedisperthelistprovidedabove.
3. Iftheflowmatchesclassesbothatingressandegressinterfaces,theresultingeffect
dependsonthetypeoftraffic.Trafficclassifiedstatefully,suchasTCPandUDPflowsand
ICMP,whenICMPinspectionisenabled,triggersthesamefeatureindifferentpolicymaps
onlyonce.Forexample,iftheflowentersthefirewallandtriggerstheinspectionfeaturein
theingressinterfacelevelpolicymap,thefirewallwillstorethiseventinthestatetable.No
furtherattemptstoperformtrafficinspectionornormalizationaremadeforthisflow,evenifit
matchestheegressinterfacepolicy.Moreover,thereturningpacketsfortheflowarenot
5/13
11/22/2015
matchedagainsttheflowawarefeaturesingressonthereturninginterface.Thisisthe
directconsequenceofthefirewallstatefulbehavior.Thelistofflowawarefeatures
includes:applicationinspection,CSC/IPS,TCPnormalizationandconnectionlimiting.
Whatifthepacketstreamisnottreatedbythefirewallasasingleflow?Forexample,imaginea
streamofICMPpacketswhenICMPinspectionisdisabled.Inthiscase,bidirectionalfeatureson
ingressandegressinterfaceswillapplytwice.Moreover,thereturningpacketswillalsobe
subjecttofeatureactions,suchasIPSchecks.Thisbehaviorisalsotruewithanyflowunaware
feature,suchasQoSpolicing.
FeatureIncompatibilities
Asyouremember,youcanapplymultipleactionsunderthesameclass.Someactionsjustcant
gotogether.Hereisthelistofthelimitations:
1. Youcantcombinepolicingandinterfacelevelpriorityqueuingforthesameclass.
2. Youcantconfigureshapinginglobalpolicymap.
3. YoucanonlyshapeALLtrafficleavingtheinterface,i.e.youcanonlyshapeunderclass
default.
4. Youcannotconfiguretwoinspectactionsunderthesameclasswithexcepttodefault
inspectiontrafficclass.
Whatiftrafficflowmatchesmultipleclassesandthoseclassesdefinedifferentprotocolinspection
actions?Forexample,whatiftheinterfacepolicyhastwoclassesconfiguredlikethefollowing:
classmapFTP
matchporttcpeq21
classmapHTTP
matchporttcpeq21
policymapTEST
classFTP
inspectftp
classHTTP
inspecthttp
ThentheFTPflowwillmatchbothclasses.However,oneappliesFTPinspectionandanother
HTTPinspection.Toresolvesuchconflicts,thefirewallusesthelistofapplicationpriorities(from
theDocCD):
1. CTIQBE
2. DNS
3. FTP
4. GTP
5. H323
6. HTTP
7. ICMP
8. ICMPerror
9. ILS
10. MGCP
11. NetBIOS
12. PPTP
13. SunRPC
14. RSH
15. RTSP
16. SIP
17. Skinny
18. SMTP
6/13
11/22/2015
19. SNMP
20. SQL*Net
21. TFTP
22. XDMCP
23. DCERPC
24. InstantMessaging
Applicationprioritydecreasesindescendingorder,withCTIQBEinspectionhavinghighest
priority.Theinspectionactionwithhigherprioritywillbepreferredincaseofconflict.Inthe
exampledescribedabove,FTPismorepreferredthanHTTP,andthustrafficisinspectedfor
FTPprotocol.
Summary
Asyoucansee,ASAfirewallsystemimplementssophisticatedlogicfortrafficmatchingand
featureapplication.Thisisthedirectresultofcombiningmultiplefeaturesforthesamesetof
trafficusingtheclass>actionbasedsyntax.Rightnowthesemanticisnotverytransparent,and
itmighttaketimetounderstandaparticularconfiguration.Hereisthelistofbasicpointsabout
MPF:
1. Servicepoliciescouldbeappliedgloballyorperinterface.
2. Apacketflowcanmatchmultipleclasses.
3. Incaseiftwooremoreclassesspecifythesamefeature,firewallappliesthedeterministic
proceduretoresolvetheconflict.
4. Intheclassesspecifydifferentfeatures,theyarecombined,providedthatthefeaturescould
beusedtogether.
5. Manyfirewallfeaturesareawareofstatefultrafficflows.
6. Theorderthatthefeaturesareappliedisfixedanddoesnotdependontheorderofclasses
inthepolicymaps.
Tags:asa,firewall,mpf,overview
DownloadthispageasaPDF
AboutPetrLapukhov,4xCCIE/CCDE:
PetrLapukhov'scareerinITbegainin1988withafocusoncomputerprogramming,and
progressedintonetworkingwithhisfirstexposuretoNovellNetWarein1991.Initiallyinvolved
withKazanStateUniversity'scampusnetworksupportandUNIXsystemadministration,hewent
throughthepathofbecominganetworkingconsultant,takingpartinmanynetworkdeployment
projects.Petrcurrentlyhasover12yearsofexperienceworkingintheCisconetworkingfield,
andistheonlypersonintheworldtohaveobtainedfourCCIEsinundertwoyears,passingeach
onhisfirstattempt.Petrisanexceptionalcaseinthathehasbeenworkingwithallofthe
technologiescoveredinhisfourCCIEtracks(R&S,Security,SP,andVoice)onadailybasisfor
manyyears.Whennotactivelyteachingclasses,developingselfpacedproducts,studyingforthe
CCDEPractical&theCCIEStorageLabExam,andcompletinghisPhDinAppliedMathematics.
FindallpostsbyPetrLapukhov,4xCCIE/CCDE|VisitWebsite
Youcanleavearesponse,ortrackbackfromyourownsite.
7/13
11/22/2015
17ResponsestoUnderstandingModularPolicyFramework
1.
Mzsays:
April19,2009at6:20am
ThanksPetr,
idontknowthatthestatefulldoesntmatchtwiceforflowawarefeature.doesitmeanifwe
inspecthttpthantheonethatactuallyinspectedwastheinitiatorpacketnottheresponder
packet?ifweuseitonIPSdoesthereturnhttptrafficisnotinspectedoritinspectedusing
thepreviousinitiatorstate?
Mz
Reply
PetrLapukhov,CCIE#16379says:
Whenyouinspectatrafficflow,theinspectionengineappliestothewholetraffic
stream,startingwiththeinitialpacketandfullsubsequentexchange.AsfortheIPS
featureexample,fortheflowbasedtraffic,theIPSinspectionwillbeassociatedwiththe
flow.Allreturningpacketswillusethesamevirtualsensorastheoriginalflow.
Reply
2.
Lexsays:
Thisisawesome.Iliketoseeselfcontainedinfo.thenewstepwiththevol5workbooks
reallysetsyouapartfromthecompetitionwithNarbikbeingtheexception.Ithinkeveryccie
candidateisfortunateofhavingguyslikeyou,youngBrianandNarbikaround.
Reply
3.
PaulStewartsays:
April19,2009at12:11pm
ThisisthebestreadanywhereonhowMPFworks.Itseemslikeeverywhereelseyouread
aboutit,youareleftaskingButwhatabout?Thisarticleaddresseseverything.
Reply
4.
Zeussays:
April19,2009at6:37pm
HiPetr,
Willyouincludeitinyourv3.0SecWorkbook?
thanks
Reply
8/13
11/22/2015
5.
Robertsays:
Thenextquestionis:ifthemultiplefeaturesarecombinedtogether,whatistheorderthey
areappliedtotheflow?Itdoesnotdependontheorderoftheclassmapwithinthepolicy
map.Theactionsareappliedinsequence,inthesameordertheyarepresentedinthelist
above.Inourexample,theflowisfirstpoliced,thennormalizedandtheninspected.Notice
thatsomefeaturesmaydroppackets(suchaspolicing)ormodifythetrafficcontents(e.g.
TCPnormalizationorinspection).
Whichlistabove?IveseenalistinaCBTNuggetfprSNAF:
1.TCPProcessing(butnotexactlydescribedifpolicingorconnectionsettingshavea
higherpriority,whenwouldthesequencenumberrandomizationtakeplace?)
2.CSC
3.ApplicationInspection
4.IPS
5.QoSinputpolicing
6.QoSoutputpolicing
7.QoSpriorityqueuing
OK,letsseeifigettherightorder:
wehave2statementsfprconnectionlimits,butforFTPpacketsthestatementset
connectionconnmax100works,becausetheclassFTPisabove(inmenaingogflinesin
theconfig)theTCPclass?
Soificlearthepolicymapandthenmakesomethinglike:
policymap
classdefaultinspectiontraffic
inspectftp
classTCP
policeinput150000
classFTP
theclassFTPwillnevertakeaction?AFTPPacketwouldgetpolicedto150000andcould
make200insteadof100connections?
Conclusion:
IfivetocheckaMPF,ifirsthavethatFeaturelistinmindandTHENcheckwhattypeof
packets(inwhichordertheclassesareconfigured)arematched.
Plzalsonamethepolicymapsandwriteouttheservicepolicystatements,theyarecrucial
forexamplesinthetopicLevelsandDirections
Reply
6.
PaulStewartsays:
May21,2009at5:27pm
Wow.Ijuststumbledonthis.Itoobelievethisisthebestinformationanywheredescribing
howMPFclassifiesaflowandappliesthefeatures.
Reply
9/13
11/22/2015
7.
Tacacksays:
November29,2009at7:37pm
GreatjobPetr! Paulstewartrecommendedthistome,anditsagreatread.Thanksfor
puttingupsucharticles!LookingforwardtoseeingmorefromINE!
Reply
8.
Adriansays:
March5,2010at11:23am
Manythanksforsuchamazingexplanation!YoumusthaveaV12twinturboasabrain,do
youeatalot?
Reply
9.
Moesays:
May6,2010at6:17am
ThisisthebesttutorialforciscoMPFinmyopinion,evenciscodocumentationdoesnt
includesuchexplanation
thankyou.
MohammadTayseer
Reply
10.
Iansays:
June7,2010at3:55am
Greatpost,thankyou.
Reply
11. RecursodeINEen"CCIEencastellano"says:
December8,2010at3:38pm
[...]UnderstandingASAMPF[...]
Reply
12.
Madsays:
January24,2011at12:36pm
AwesomeIveneverfoundanexplanationlikethisone!!!
VerygoodandusefullarticleandthemostimportantthingItsforhumanbeingsXD
Thankyouman!!!!!!
Reply
13.
Arefsays:
May5,2013at1:26pm
HiPetr,
WhatifintheplicymaptestintheFeatureIncompatibilitiessection,whatifyoudothis:
classmapFTP
10/13
11/22/2015
matchporttcpeq222
classmapHTTP
matchporttcpeq222
policymapTEST
classFTP
inspectftp
classHTTP
inspecthttp
HowASAwoulddealwithit?
Thanks
Aref
Reply
14.
Arefsays:
May7,2013at7:04am
Higuys,inthemeanwhileImwaitingforananswerfromPetr,Iwentlookingfurtheron
Ciscodocumentationabouthttpandftpinspectioninthesamepolicymap.
Ivegotsomeconfusion,ifyougotoseetheCiscosdocumentationinthislink:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_cfg.pdf
tothesepages:
641(chapter323)
642(chapter324)
643(chapter325)
Onpage641(chapter323)theysay:
2.Whenthepacketmatchesaclassmapforafeaturetype,theASAdoesnotattemptto
matchittoanysubsequentclassmapsforthatfeaturetype.
3.Ifthepacketmatchesasubsequentclassmapforadifferentfeaturetype,however,then
theASAalsoappliestheactionsforthesubsequentclassmap,ifsupported.Seethe
IncompatibilityofCertainFeatureActionssectiononpage325formoreinformationabout
unsupportedcombinations.
Onpage642(chapter324)theysay:
IfapacketmatchesaclassmapforHTTPinspection,butalsomatchesanotherclassmap
thatincludesFTPinspection,thenthesecondclassmapactionsarenotappliedbecause
HTTPandFTPinspectionscannotbecombined.
Insteadonpage643(chapter325)theysay:
Anexampleofamisconfigurationisifyouconfiguremultipleinspectionsinthesamepolicy
mapanddonotusethedefaultinspectiontrafficshortcut.InExample321,trafficdestined
toport21ismistakenlyconfiguredforbothFTPandHTTPinspection.InExample322,
trafficdestinedtoport80ismistakenlyconfiguredforbothFTPandHTTPinspection.Inboth
casesofmisconfigurationexamples,onlytheFTPinspectionisapplied,becauseFTP
comesbeforeHTTPintheorderofinspectionsapplied.
Seeexample321andexample322onthesamepage.
Imconfused,cananyoneexplainitplease?
Thanks
Aref
Reply
11/13
11/22/2015
15.
Blanchesays:
May16,2013at9:08pm
Ilovewhatyouguysareusuallyuptoo.Thissortofcleverworkandexposure!Keepupthe
awesomeworksguysIveaddedyouguystoblogroll.
Reply
16.
Micahsays:
June21,2013at4:25pm
Hey!Thispostcouldnotbewrittenanybetter!Readingthroughthispostremindsmeofmy
oldroommate!Healwayskeptchattingaboutthis.Iwillforwardthisarticletohim.Fairly
certainhewillhaveagoodread.Thanksforsharing!
Reply
LeaveaReply
Name(required)
Mail(willnotbepublished)(required)
SubmitComment
Search
Search
Submit
Categories
SelectCategory
CCIEBloggers
BrianDennis,CCIEx5#2210
Routing&Switching
Voice
Security
ServiceProvider
ISPDial
BrianMcGahan,CCIEx4#8593,CCDE#2013::13
Design
DataCenter
Routing&Switching
12/13
11/22/2015
Security
ServiceProvider
MarkSnow,CCIEx4#14073
DataCenter
Collaboration
Security
Voice
PetrLapukhov,CCIEx4#16379,CCDE#2010::7
Design
Routing&Switching
Security
ServiceProvider
Voice
PopularPosts
CCIEDataCenterv2.0BlueprintAnnounced
twitter.com/ine
Follow
Icon Icon Icon
Icon
Icon
2011INE,Inc.,AllRightsReserved
13/13

Understanding Modular Policy Framework-Packetflow

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Understanding Modular Policy Framework-Packetflow

Hochgeladen von

Copyright:

Verfügbare Formate

11/22/2015

Das könnte Ihnen auch gefallen