SNPA50SL10

Advanced Protocol
Handling
Lesson 10
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-1

Advanced Protocol
Handling

Need for Advanced Protocol Handling
 Some popular protocols or applications behave as follows:
– They negotiate connections to dynamically assigned source and
destination ports and IP addresses.
– They embed source and destination port and IP address information
above the network layer.
 A good security appliance has to inspect packets above the network layer
and do the following as required by the protocol or application:
– Securely open and close negotiated ports and IP addresses for legitimate
client-server connections through the security appliance
– Use NAT-relevant instances of IP addresses inside a packet
– Use PAT-relevant instances of ports inside a packet
– Inspect packets for signs of malicious application misuse

Application Inspection
No FTP Inspection FTP Inspection
Server Server
Client Client
TCP S/21- C/2008 TCP S/21- C/2008

TCP S/20- ???? TCP S/20- C/2010
Data Control Control Data Data Control Control Data
Port Port Port Port Port Port Port Port
20 21 2008 2010 20 21 2008 2010
Port 2010 Port 2010
Port 2010 OK Port 2010 OK
Data Data
X
Security appliance opens

No return port for data
return port for data
Default Traffic Inspection and Port
Numbers
asa1(config)# class-map inspection_default

asa1(config-cmap)# match ?
mpf-class-map mode commands/options:

access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 radius-acct---udp--1646
rpc-------udp--111 rsh-------tcp--514
rtsp------tcp--554 sip-------tcp--5060
sip-------udp--5060 skinny----tcp--2000
smtp------tcp--25 sqlnet----tcp--1521
tftp------udp--69 xdmcp-----udp—177
. . .

Default Protocol Inspection Policy
class-map inspection_default
Class Map match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
Policy Map inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
Service Policy service-policy global_policy global

Delete Inspection for a Protocol
Client Server
asa1(config)# policy-map global_policy

asa1(config-pmap)# class inspection_default
asa1(config-pmap-c)# no inspect tftp
asa1(config-pmap-c)# exit
asa1(config-pmap)# exit
 Disables TFTP inspection

Configure Protocol Inspection on
Nonstandard Port Number
Server
Client
Inspect HTTP
Add TCP Port 8080
Adds port 8080 HTTP inspection to the default policy map

 Defines a class map to match the traffic flow identified by port number
8080
 Uses the policy map to associate the traffic flow, 8080, with a protocol
inspection, inspect HTTP
asa1(config)# class-map 8080_INSPECT_TRAFFIC

asa1(config-cmap)# match port tcp eq 8080
asa1(config-cmap)# exit
asa1(config-pmap)# class 8080_inspect_traffic
asa1(config-pmap-c)# inspect http
Inspection Class Maps and
Inspection Policy Maps

Advanced Protocol Inspection
Advanced protocol inspection gives you options such as the following for
defending against application layer attacks:
 Blocking *.exe attachments
 Prohibiting the use of Kazaa or other peer-to-peer file-sharing programs
 Setting limits on URL lengths
 Prohibiting file transfer or whiteboard as part of Instant Messenger sessions
 Protecting your web services by ensuring that XML schema is valid
 Resetting a TCP session if it contains a string you know is malicious
 Dropping sessions with packets that are out of order
.exe
Kaaza
http://www.example.com/l
ong/URL/far2long
IM whiteboard

Configuring Advanced Protocol
Inspection
Use the following commands to configure advanced

protocol inspection:
 (Optional) class-map type inspect (inspection class map):
Used to match criteria that is specific to an application and to
group multiple matches
 policy-map type inspect (inspection policy map): Used to
define special actions for inspection application traffic
 class-map (Layer 3 and 4 class map): Used to identify Layer 3
and 4 traffic to which you want to apply actions
 policy-map (Layer 3 and 4 policy map): Used to apply actions
to the Layer 3 and 4 traffic
 service-policy: Used to activate the Layer 3 and 4 policy map
on an interface or globally

Inspection Class Maps
ciscoasa(config)#
class-map type inspect application [match-all] class_map_name

 Creates an inspection class map name and enters configuration mode for the
inspection class map
 Enables you to define a class of through-traffic by matching traffic specific to an
application
asa1(config)#class-map type inspect ?
configure mode commands/options:

dns Configure a class-map of type DNS
ftp Configure a class-map of type FTP
h323 Configure a class-map of type H323
http Configure a class-map of type HTTP
im Configure a class-map of type IM
sip Configure a class-map of type SIP

Example: Inspection Class Maps
asa1(config)#class-map type inspect http POST_METHOD
asa1(config-cmap)#match ?

not Negate this match result
req-resp Apply match to request and response
request Apply match to request
response Apply match to response
 Displays match options available for an HTTP inspection class map

asa1(config-cmap)#match request method post
 Creates an HTTP inspection class map that identifies traffic containing the post request
method

Inspection Policy Maps
ciscoasa(config)#
policy-map type inspect application policy_map_name
 Creates an inspection policy map name and enters inspection policy map configuration mode
 Enables you to define special actions for inspection application traffic
asa1(config)#policy-map type inspect ?

configure mode commands/options:
dcerpc Configure a policy-map of type DCERPC
dns Configure a policy-map of type DNS
esmtp Configure a policy-map of type ESMTP
ftp Configure a policy-map of type FTP
gtp Configure a policy-map of type GTP
h323 Configure a policy-map of type H.323
http Configure a policy-map of type HTTP
im Configure a policy-map of type IM
ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU
mgcp Configure a policy-map of type MGCP
netbios Configure a policy-map of type NETBIOS
radius-accounting Configure a policy-map of type Radius Accounting
sip Configure a policy-map of type SIP
skinny Configure a policy-map of type Skinny

Example: Inspection Policy Maps
asa1(config)#policy-map type inspect http MY_HTTP_MAP
asa1(config-pmap)# ?
MPF policy-map configuration commands

class Policy criteria
description Specify policy-map description
exit Exit from MPF policy-map configuration mode
help Help for MPF policy-map configuration commands
match Specify policy criteria via inline match
no Negate or set default values of a command
parameters Specify this keyword to enter policy parameters.
rename Rename this policy-map
<cr>

asa1(config-pmap)#class POST_METHOD
asa1(config-pmap-c)#drop-connection log
 Creates an inspection policy map, specifies the traffic defined in the POST_METHOD inspection class
map as interesting traffic, and assigns the drop and log actions for traffic matching POST_METHOD

Example: Enabling and Activating an
Inspection Policy Map
asa1(config)# class-map type inspect http POST_METHOD
asa1(config-cmap)# match request method post
asa1(config-cmap)# exit
asa1(config)# policy-map type inspect http MY_HTTP_MAP
asa1(config-pmap)# class POST_METHOD
asa1(config-pmap-c)# drop-connection log
asa1(config)# policy-map WEB_POLICY
asa1(config-pmap-c)# inspect http MY_HTTP_MAP
asa1(config)# service-policy WEB_POLICY interface inside
 Creates an HTTP inspection policy that drops and logs any HTTP connection that attempts to
use the POST request method
The inspect command applies the inspection policy map to a

class of traffic within the Layer 3 and 4 policy map.

Modular Policy Flexibility
 Creates an inspection class map that identifies HTTP request (POST method) traffic

asa1(config-pmap)#class POST_METHOD
 Uses an inspection class map to identify the traffic for the policy map

asa1(config-pmap)# match request method post
 Uses the match command directly in the policy map to identify HTTP request (POST method) traffic

Using Regular Expressions
in Inspection Maps

Regular Expressions
 Some match commands allow you to identify text in a packet using a regular
expression.
 A regular expression is characterized as follows:
– Defined as a pattern to match against an input string
– Enables you to permit, deny, or log any packet to create custom security checks
– Matches a text string
 Literally as an exact string
 By using metacharacters, which enable you to match multiple variants of a
text string
 You can combine custom security checks for increased granular control.
ciscoasa(config)#
regex name regular_expression
 Creates a regular expression
asa1(config)#regex NEWCLIENT1 New_P2P_Client1

asa1(config)#regex NEWCLIENT2 New_P2P_Client2

Using Metacharacters
asa1(config)#regex ANYGIF ".+\.[Gg][Ii][Ff]"
Creates a regular expression that matches any file name with a .gif extension
by using metacharacters as follows:
 . = Match any single character
 + = Match at least one of the previous expression, which in this case is
any single character
 \ = Match the following character, which in this case is a dot, literally
 [Gg][Ii][Ff] = Match the string “gif” without case sensitivity
Match
ANYGIF
file.gif
NOTE: This regular expression matches “file.gif”. It does not match “.gif”.
Testing a Regular Expression
ciscoasa(config)#
test regex input_text regular_expression
 Tests a regular expression
asa1# test regex get "[Gg][Ee][Tt]"

INFO: Regular expression match succeeded.
asa1# test regex whatever "[Gg][Ee][Tt]"
INFO: Regular expression match failed.
asa1# test regex file.jpg “.+\.[Gg][Ii][Ff]"
asa1# test regex file.gif ".+\.[Gg][Ii][Ff]"
INFO: Regular expression match succeeded.
asa1# test regex .gif ".+\.[Gg][Ii][Ff]"

Grouping Regular Expressions
ciscoasa(config)#
class-map type regex match-any class-map-name
 Creates a name for a regular expression class map and enters
configuration mode for the regular expression class map
asa1(config)#class-map type regex match-any NEW_P2P

asa1(config-cmap)#match regex NEWCLIENT1
asa1(config-cmap)#match regex NEWCLIENT2
 Creates a regular expression class map named NEW_P2P and groups
regex NEWCLIENT1 and regex NEWCLIENT2 within it
Match:
NEW_P2P
New_P2P_Client1

Using Regular Expression Class Maps
asa1(config)#regex COMPANY_CONFIDENTIAL
“[Cc][Oo][Nn][Ff][Ii][Dd][Ee][Nn][Tt][Ii][Aa][Ll]”
asa1(config)#regex CLASSIFIED “[Cc][Ll][Aa][Ss][Ss][Ii][Ff][Ii][Ee][Dd]”
asa1(config)#class-map type regex match-any CLASSIFIED_DOCUMENTS
asa1(config-cmap)#match regex COMPANY_CONFIDENTIAL
asa1(config-cmap)#match regex CLASSIFIED
. . .
asa1(config)#class-map type inspect http match-all CLASSIFIED_TRAFFIC
asa1(config-cmap)#match request header user-agent regex class
CLASSIFIED_DOCUMENTS
. . .
asa1(config)#policy-map type inspect http CONFIDENTIAL_POLICY
asa1(config-pmap)#parameters
asa1(config-pmap-p)#class CLASSIFIED_TRAFFIC
. . .
asa1(config)#policy-map DOCUMENT_SECURITY
asa1(config-pmap)#class inspection_default
asa1(config-pmap-c)#inspect http CONFIDENTIAL_POLICY
. . .
asa1(config)#service-policy DOCUMENT_SECURITY interface inside
 Creates a policy that drops and logs any HTTP connection request that contains a string specified in the
CLASSIFIED_DOCUMENTS regular expression class map and uses the post request method
FTP Inspection

FTP Inspection
 FTP uses two channels:
– Command connection (TCP)
– Data connection (TCP)
 FTP inspection Server
– Address translation in the message Client
– Dynamic creation of openings for
FTP data connections
– Stateful tracking of request and
response messages
Control Channel
– (Optional) FTP strict, which prevents web browsers
from sending embedded commands in FTP
requests Data
X
 Advanced FTP inspection:
– Is added to strict inspection functionality
– Enables command filtering
No Return Port for Data
– Enables FTP connection-blocking based on file
type, server name, and other attributes
– Enables blocking specific users from using FTP
through the security appliance
– Enables protocol conformance checking

inspect ftp Command strict Option
 Prevents web browsers from sending embedded commands in FTP requests
 Enforces the following security appliance behavior:
– Requiring an FTP command to be acknowledged before allowing a new command
– Dropping connections that send embedded commands
– Checking the 227 and port commands to ensure they do not appear in an error
string
– Tracking each ftp command and response sequence for the certain anomalous
activity
Client
FTP
Server
ciscoasa(config-pmap-c)#
inspect ftp [strict [map_name]]
asa1(config)# policy-map MY_MAP

asa1(config-pmap)# class MY_CLASS
asa1(config-pmap-c)# inspect ftp strict MY_MAP

Filtering Commands with Advanced FTP
Inspection
 Blocks specific commands within
FTP requests Client
FTP
 Can close the connection and Server
generate a log message when an
FTP command is filtered
asa1(config)#policy-map type inspect ftp MY_FTP_MAP

asa1(config-pmap)# match request-command ?
mpf-policy-map mode commands/options:

appe Append to a file
cdup Change to parent of current directory
dele Delete a file at server site
get FTP client command for the retr command - retrieve a file
help Help information from server
mkd Create a directory
put FTP client command for the stor command - store a file
rmd Remove a directory
rnfr Rename from
rnto Rename to
site Specify server specific command
stou Store a file with a unique name

Filtering Commands with Advanced FTP
Inspection (Cont.)
Client
FTP put FTP
Server
asa1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftp

asa1(config)# policy-map type inspect ftp MY_FTP_MAP
asa1(config-pmap)# match request-command dele rnfr rnto appe put rmd
asa1(config-pmap-c)# reset
. . .
asa1(config)# class-map INBOUND_FTP_TRAFFIC
asa1(config-cmap)# match access-list 101
. . .
asa1(config)# policy-map INBOUND
asa1(config-pmap)# class INBOUND_FTP_TRAFFIC
asa1(config-pmap-c)# inspect ftp strict MY_FTP_MAP
. . .
asa1(config)# service-policy INBOUND outside
 Configures the policy map to reset any connection that matches access list 101 and contains one of
the commands listed in the match command

Blocking File Names, File Types,
Servers, and Usernames
 Blocks FTP connections based on file names,
file types, servers, and usernames Client
 Matches regular expressions FTP
 Can reset the connection and generate a log Server
message when match conditions are met
asa1(config)#class-map type inspect ftp RESTRICTED_ACCESS

asa1(config-cmap)# match ?

filename Match a filename for FTP transfer
filetype Match a filetype for FTP transfer
request-command Match a FTP request command
server Match a FTP server
username Match a FTP user

asa1(config-cmap)# match filename ?

regex Match a FTP filename via regular expression

Blocking File Names, File Types,
Servers, and Usernames (Cont.)
ftp> put /root/filename FTP
Bob
Server
asa1(config)#regex FTP_USER “root”

asa1(config)#regex FTP_PATH “\/root”
asa1(config)#class-map FTP_TRAFFIC
asa1(config-cmap)#match port tcp eq ftp
. . .
asa1(config-cmap)#match not username regex FTP_USER
asa1(config-cmap)#match filename regex FTP_PATH
. . .
asa1(config-pmap)#class RESTRICTED_ACCESS
asa1(config-pmap-c)#reset log
. . .
asa1(config)#policy-map FTP_POLICY
asa1(config-pmap)#class FTP_TRAFFIC
asa1(config-pmap-c)#inspect ftp strict MY_FTP_MAP
asa1(config-pmap-c)#service-policy FTP_POLICY interface inside
 Denies all users except “root” from accessing /root

Masking the FTP Greeting Banner
Connected to 192.168.1.11
Client 220 ***************************
User (192.168.1.11:none)):
FTP Server
asa1(config-pmap)# parameters
asa1(config-pmap-p)# ?
MPF policy-map parameter configuration commands:

exit Exit from MPF policy-map parameter configuration submode
help Help for MPF policy-map parameter submode commands
mask-banner Mask greeting banner from FTP server
mask-syst-reply Mask reply to syst command
quit Exit from MPF policy-map parameter configuration submode
asa1(config)# policy-map type inspect ftp MY_FTP_MAP

asa1(config-pmap-p)# mask-banner
...
asa1(config-pmap-c)# inspect ftp strict MY_FTP_MAP
 Masks the FTP greeting banner
HTTP Inspection

HTTP Inspection
HTTP
Traffic
Internet
HTTP
Traffic
 HTTP inspection includes the following:

– URL screening through Websense or Secure Computing SmartFilter*
(formerly N2H2)*
– Java and ActiveX filtering*
– Advanced HTTP inspection
 Advanced HTTP inspection controls and filters HTTP messaging and
traffic.
* URL screening, Java filtering, and ActiveX filtering are configured

in conjunction with the filter command.

Advanced HTTP Inspection
 Granularly control IM, P2P, and tunneling applications by matching text found in the HTTP
request message header.
 Defend against DoS attacks by configuring size and count limits on various elements within
HTTP request and response messages.
 Defend against worms and viruses by blocking certain MIME types and verifying that the
MIME type in the HTTP response message matches the accept field in the request message.
 Defend against worms by selectively blocking non-ASCII characters in HTTP request and
response headers.
 Block attempts to bypass URI-based restrictions and prevent attackers from exploiting web
servers that ignore parameters after a NULL character by blocking null HTTP encodings.
 Prevent attackers from exploiting vulnerabilities on your web server by controlling HTTP
methods and extensions.
 Block a configurable list of URLs.
 Prevent attackers from fingerprinting your web server by configuring HTTP server header
spoofing.
 Permit or deny and log any packet based on regular expressions.
 Combine custom security checks for increased granular control.

Advanced HTTP Inspection Match
Conditions
asa1(config-pmap)# match ?

req-resp Apply match to request and response
request Apply match to request
response Apply match to response
Applies a match condition to:

 req-resp:
– content-type
 request:
– args
– body
– header
– method HTTP
– uri Traffic
 response: Internet
– body HTTP
– header Traffic
– status-line

Block MIME Type Mismatch
asa1(config-pmap)# match req-resp ?

content-type Match content-type in response to accept-types
in request
Response Request
content-type = accept =
audio/x-wav audio/basic
Internet

asa1(config-pmap)# match req-resp content-type mismatch
. . .
 Drops traffic in which the content-type field in the HTTP response does not match the
accept field in the corresponding HTTP request message

Control Tunneled, IM, and Peer-to-Peer
Protocols with Regular Expressions
New New
P2P P2P
traffic traffic
Internet
ciscoasa(config-pmap)#
match [not] request header {field | regex regex-name | non-ascii |

length gt bytes | count gt number}{regex regex-name | regex class
class-map-name | length gt bytes | count gt number}
 Matches text found in HTTP request message header fields
 Matches the count or length of the header or a specific header field
 Matches certain MIME types in the content-type field
 Matches non-ASCII characters in the HTTP headers
 Matches transfer encoding types or an empty transfer encoding field
asa1(config)# regex NEWP2P New_P2P
asa1(config-pmap)# match request header user-agent regex NEWP2P
 Uses a regular expression to block a new peer-to-peer protocol
The specified action is taken only after the inspection policy map is applied to a
Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
P2P = peer-to-peer
Control Tunneled, IM, and Peer-to-Peer
Protocols with Built-in Class Maps
Gator Gator
traffic traffic
Internet

asa1(config-pmap)# class _default_gator
. . .
 Uses a built-in class map to block the Gator peer-to-peer protocol

Limit the Size and Number of Headers
and Header Fields
host field
length>5
Internet
host field
count>3
asa1(config)# class-map type inspect http match-all INVALID_HLEN

asa1(config-cmap)# match request header host length gt 5
. . .
asa1(config)# class-map type inspect http match-all INVALID_HCNT
asa1(config-cmap)# match request header host count gt 3
. . .
asa1(config-pmap)# class INVALID_HLEN
. . .
asa1(config-pmap)# class INVALID_HCNT
. . .
 Prohibits request messages that contain a host field longer than 5 bytes
 Prohibits the host field from appearing more than three times in the message

Block Specific Request Methods and
Extensions
Request method =PUT
Internet
ciscoasa(config-cmap)#
match [not] request method {method | regex {regex_name |
class class_map_name}}
 Matches an HTTP request method or extension method (predefined or custom)
 Only one match request method command allowed in inspection class map
 Multiple match not request method commands allowed in inspection class map
asa1(config)# class-map type inspect http match-all

METHOD_LIST
asa1(config-cmap)# match not request method get
asa1(config-cmap)# match not request method post
. . .
asa1(config-pmap)# class METHOD_LIST
asa1(config-pmap-c)# reset log
 Prohibits any HTTP request that does not contain a GET or POST request method and
issues a syslog when such a request is detected

Block User-Defined URLs
match [not] request uri {length gt bytes | regex {regex-name | class
class-map-name}}
 Matches text found in the HTTP request message URI (can match up to 100 URLs)
 Matches the length of the URI
asa1(config)# regex URL_ABC “.+abc\.com"

asa1(config)# regex URL_XYZ “.+xyz\.com"
asa1(config)# class-map type regex match-any RESTRICTED_URLS
asa1(config-cmap)# match regex URL_ABC
asa1(config-cmap)# match regex URL_XYZ
. . .
asa1(config)# class-map type inspect http match-all RESTRICTED_HTTP
asa1(config-cmap)# match request uri regex class RESTRICTED_URLS
asa1(config-cmap)# match request method propfind
. . .
asa1(config-pmap)# class RESTRICTED_HTTP
 Resets and logs HTTP connection attempts to access abc.com or xyz.com with the propfind extension method
and allows all other URLs and methods
Block Message If Content Type in
Header Does Not Match Content Type in
Body
match [not] response header {field | regex regex-name | non-ascii |
length gt bytes | count gt number}{regex regex-name | regex class
class-map-name | length gt bytes | count gt number}
 Matches text found in HTTP response message header fields
 Matches the size and number of response headers and header fields
 Matches certain MIME types in the content-type field
 Matches non-ASCII characters in the HTTP headers
 Matches transfer encoding types or an empty transfer encoding field
response message
body header
content-type
47 4b ff d8
Internet

asa1(config-pmap)# match response header content-type violation
asa1(config-pmap-c)# drop-connection
 Drops any connection in which the HTTP response message body contains a magic number that
does not correspond to the MIME type magic number in the content-type header field
HTTP Inspection Policy Map Parameters

body-match-maximum The maximum number of characters to search in the
message body. Using a large number will have a
severe impact on performance.
class Policy criteria
exit Exit from MPF policy-map parameter configuration
submode
help Help for MPF policy-map parameter submode
commands
match Specify policy criteria via inline match
protocol-violation Check for HTTP protocol violations
quit Exit from MPF policy-map parameter configuration
submode
spoof-server Spoof server header field
 Define the maximum number of characters in the body of an HTTP message that should be searched in a
body match
 Check for protocol violations
 Hide information about your web server
Prevent Web Server Fingerprinting by
Masking the HTTP Banner
IIS
web
server
Server =
IIS
Server =
Internet ServerX

asa1(config-pmap-p)# spoof-server ServerX
. . .
 Replaces the HTTP server banner with the string ServerX

Instant Messaging
Application Inspection

IM Inspection Overview
IM traffic IM traffic
Internet
 Increase employee productivity, prevent leakage of confidential

data, and decrease the risk of worm propagation
 Apply fine-grained controls to the MSN Messenger and Yahoo
Messenger applications
 Control IM applications on the native IM ports

IM Inspection
asa1(config)#policy-map type inspect im MY_IM_MAP

filename Match filename from IM file transfer service
ip-address Match client IP address for IM application or
service
login-name Match client login-name from IM service
peer-ip-address Match peer (client or server) IP address for IM
application or service
peer-login-name Match client peer login name from IM service
protocol Match an Instant Messenger Protocol
service Match an Instant Messenger Service
version Match version from IM file transfer service
 Block the IM application as a whole

 Block a specific IM service
 Block IM based on source or destination IP address
 Block IM based on version, login names, or file names you specify via regular expressions
 Use multiple match conditions to create complex custom policies

Block a Specific IM
match [not] protocol {msn-im | yahoo-im}
 Specifies MSN Messenger traffic or Yahoo Messenger traffic as a match condition
Yahoo Messenger
Internet
asa1(config)# policy-map type inspect im MY_IM_MAP

asa1(config-pmap)# match protocol msn-im yahoo-im
 Resets the connection and generates a log upon matching MSN Messenger or
Yahoo Messenger traffic
Block IM Based on IP Address
match [not] ip-address ip-address netmask
 Matches the source IP address of the IM message
Yahoo Messenger
source = 10.1.1.0
10.1.1.0/24
Internet
Yahoo Messenger
source = 10.0.1.0
10.0.1.0/24
asa1(config)# class-map type inspect im match-all IM_CLASS_MAP

asa1(config-cmap)# match protocol yahoo-im
asa1(config-cmap)# match ip-address 10.0.1.0 255.255.255.0
. . .
asa1(config-pmap)# class IM_CLASS_MAP
 Resets Yahoo Messenger connections that contain the source address 10.0.1.0/24
Block Specific IM Services
ciscoasa(config-cmap)#
match [not] service service [service]
 Matches a specific IM service
Yahoo
chat
Internet
MSN MSN
chat game
asa1(config)# class-map type inspect im match-all IM_CLASS_MAP

asa1(config-cmap)# match protocol msn-im yahoo-im
asa1(config-cmap)# match service chat conference games
. . .
asa1(config-pmap)# class IM_CLASS_MAP
 Resets MSN Messenger and Yahoo Messenger chat, conference, and game connections
ESMTP Inspection

ESMTP Inspection
Mail
Server
Client
Inbound SMTP Command
Internet
 ESMTP inspection:
– Allows only seven minimum SMTP commands: data, helo, mail, noop,
quit, rcpt, and rset (RFC 821)
– Adds support for eight extended SMTP commands: auth, ehlo, etrn,
help, saml, send, soml, and vrfy
– Defines ports on which to activate ESMTP inspection. (default = 25)
 If disabled, all SMTP commands are allowed through the firewall, and
potential mail server vulnerabilities are exposed

Advanced ESMTP Inspection Overview
 Prevent DoS attacks by rate limiting ESMTP commands
 Prevent buffer overflow attacks by doing the following:
– Blocking messages based on body length and line length
– Blocking messages based on header length
– Limiting the number of characters in a MIME file name
– Limiting the length of command line commands
– Limiting the length of the sender address
 Block e-mail SPAM by doing the following:
– Limiting the number of RCPT To commands
– Limiting the number of TO fields in the message header
– Blocking specific MIME encoding types
– Blocking mail relay
 Block infected file attachments by denying messages with specific attachment names and
file types
 Block messages from specific senders or domains
 Prevent directory harvest attacks by configuring an invalid recipient threshold
 Hide SMTP server information by blocking or masking certain EHLO reply parameters

Advanced ESMTP Inspection
asa1(config)#policy-map type inspect esmtp MY_ESMTP_MAP

body Match related to the body of the mail message
cmd Match related to the commands exchanged in the
ESMTP transaction
ehlo-reply-parameter Match an ESMTP ehlo reply parameter
header Match related to the header of the mail message
invalid-recipients Match invalid recipient address
mime Match related to the MIME header
sender-address Match related to the sender e-mail address
asa1(config)#policy-map type inspect esmtp MY_ESMTP_MAP


. . .
mail-relay ESMTP mail relay
mask-banner Obfuscate server banner
. . .

Prevent Buffer Overflows by Setting a
Maximum Message Size
match [not] body {length | line length} gt characters
 Configures a match condition related to the body of a e-mail message
Mail
Server
Client
body length > 32000
Internet
asa1(config)# policy-map type inspect esmtp MY_ESMTP_MAP

asa1(config-pmap)# match body length gt 32000
 Drops all messages longer than 32,000 characters and generates a log message
Prevent DoS Attacks with Command
Rate Limiting
match [not] cmd {RCPT count gt recipients-number | line length
gt characters | verb verb [verb]}
 Configures a match condition related to the commands exchanged in an ESMTP
transaction
Mail
Server
Client
etrn
Internet
(10 per second)

asa1(config-pmap)# match cmd verb etrn
asa1(config-pmap-c)# rate-limit 10
 Limits the number of ETRN commands to the server to 10 packets per second
Block Spam by Blocking Specific MIME
Encoding Types
match [not] mime {encoding encoding-type | filename length gt
character-count | filetype regex {regular-expression | class
class-map-name}}
 Configures a match condition on the ESMTP MIME encoding type, MIME filename length, or MIME
file type
Mail
Server
Client mime encoding
other
Internet
LOG
mime encoding
quoted-printable . . .
asa1(config-pmap)# match mime encoding quoted-printable
asa1(config-pmap-c)# log
. . .
asa1(config-pmap)# match mime encoding other
 Logs messages with quoted-printable encoding and drops messages with other encoding
Block Malicious Senders or Domains
match [not] sender-address {length gt character-count | regex
{regular expression | class class-map-name}}
 Configures a match condition on the ESMTP sender e-mail address
Mail
Client sender = Server
joe@abc.com
Internet
domain =
xyz.com
asa1(config)# regex SENDER1 joe@abc\.com

asa1(config)# regex SENDER2 @xyz\.com
asa1(config)# class-map type regex match-any BAD_SENDERS
asa1(config-cmap)# match regex SENDER1
asa1(config-cmap)# match regex SENDER2
. . .
asa1(config-pmap)# match sender-address regex class BAD_SENDERS
 Blocks any sender whose e-mail address is joe@abc.com or whose domain is xyz.com
The specified action is taken only after the inspection policy map is applied to a Layer 3
or 4 policy map and the Layer 3 or 4 policy map is activated.
DNS Inspection

DNS Inspection
DNS
Server Client
53 1050
Request
Response
Monitors all UDP transactions on port 53:

 Tracks DNS request ID and opens a connection slot
 Closes connection slot immediately after answer is received
 Translates the DNS A record
– Before release 6.2: alias command
– Release 6.2 and later: DNS record translation
 Reassembles the DNS packet to verify its length (default = 512 bytes)

DNS Record Translation
3
DNS Server cisco.com=192.168.0.17
Source: 172.26.26.50
.50 Destination: 192.168.0.20
172.26.26.0
2
4
10.0.0.5 192.168.0.20 .1 192.168.0.20 10.0.0.5 (host)
Who is cisco.com? 192.168.0.0 192.168.0.17 10.0.0.10 (DNS)
.2
Source: 192.168.0.20 Source: 172.26.26.50
Destination: 172.26.26.50 Destination: 10.0.0.5
.1
10.0.0.0
1
http://cisco.com .10
.5
Web Server
Web Client
cisco.com
asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0 dns

asa1(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
asa1(config)# static (inside,outside) 192.168.0.17 10.0.0.10 dns
asa1(config)# access-list ALL permit tcp any host 192.168.0.17 eq www
asa1(config)# access-group ALL in interface outside

Advanced DNS Inspection
 Block certain DNS types

 Mask flags in the DNS header
 Limit the domains that can be queried
 Randomize the DNS identifier in the DNS query
 Generate alerts for an excessive number of mismatched DNS
responses
 Require a TSIG in every DNS message
 Disable DNS Guard for specific traffic
 Dynamically adjust the maximum permissible DNS message
length

Prevent DNS Cache Poisoning
asa1(config)# regex DOMAIN1 example2\.com
asa1(config)# regex DOMAIN2 sample2\.com
asa1(config)# class-map type regex match-any PERMITTED_DOMAINS
asa1(config-cmap)# match regex DOMAIN1
asa1(config-cmap)# match regex DOMAIN2
. . .
asa1(config)# class-map type inspect dns match-all BLOCKED_TRAFFIC
asa1(config-cmap)# match not header-flag QR
asa1(config-cmap)# match question
asa1(config-cmap)# match not domain-name regex class PERMITTED_DOMAINS
. . .
asa1(config)# policy-map type inspect dns MY_DNS_MAP
asa1(config-pmap)# class BLOCKED_TRAFFIC
asa1(config-pmap-c)# drop log
. . .
asa1(config-pmap)# match header-flag RD
asa1(config-pmap-c)# mask log
 Blocks DNS queries
 Masks the RD bit in the DNS header to prevent the server from sending recursive queries on
behalf a requester
 Limits the domains that can be queried to example2.com and sample2.com
The specified action is taken only after the inspection policy map is applied
to a Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
Protocol Application
Inspection

ICMP Inspection
172.26.26.50
Request
Reply Insidehost
ICMP echo request (len 32 id 512 seq 26624) Insidehost > 172.26.26.50
ICMP echo reply (len 32 id 512 seq 26624) 172.26.26.50 > Insidehost
Purpose of ICMP inspection is to allow replies only when they

match a request.
 Source, destination, ICMP type, identification number, sequence
number
 One request, one reply

SNMP Inspection
SNMP-
Managed
Device
.19 Traps 10.0.0.11
Internet
SNMP manager
SNMP v1 10.0.0.3
 snmp-map: To deny a specific version of SNMP

 inspect snmp: To enable SNMP application inspection
asa1(config)# snmp-map SNMP_DENY_V1

asa1(config-snmp-map)# deny version 1
. . .
asa1(config-pmap)# class class-default
asa1(config-pmap-c)# inspect snmp SNMP_DENY_V1
. . .
asa1(config)# service-policy global_policy global
Remote Shell Inspection
Server Client
 The RSH protocol uses two channels:

1490 514 Outbound 2008 2010
– Client-initiated command
Connection Request
connection (TCP)
– Server-initiated standard error Port 2010 OK
connection (TCP)
Standard Error Output
 For outbound connections, the security
appliance opens an inbound port for standard
error output.
 For inbound connections, if an RSH ACL Server
exists, the security appliance handles RSH as Client
follows:
– If outbound traffic is allowed, no special
handling is required. 2010 2008 Inbound 514 1490
– If outbound traffic is not allowed, Connection Request
it opens the outbound port for standard
Port 2010 OK
error output.
Standard Error Output

SQL*Net Inspection
Server Client
 Initially, the client connects to a
well-known port on the server.
– Oracle uses port 1521.
1030 1521 Outbound 2008
– IANA-compliant applications TCP: Connection Request
use port 66. Redirect Port = 1030
 The server may assign another port or TCP: Tear Down
another host to serve the client. TCP: Connection Request
 For outbound connections, the
security appliance handles SQL*Net
connections as follows: Server
Client
– If outbound traffic is allowed, no
special handling is required.
– If outbound traffic is not allowed, 2008 Inbound 1521 1030
it opens an outbound port for a TCP: Connection Request
redirected channel. Redirect Port = 1030
 For inbound connections, if an ACL exists, TCP: Tear Down
the security appliance opens an inbound TCP: Connection Request
port for a redirected channel.

Advanced NetBIOS Inspection
ciscoasa(config-pmap-p)#
protocol-violation action [drop | log]
 Configures the security appliance to enforce RFC compliance by checking structure
and data types
asa1(config)#policy-map type inspect netbios MY_NETBIOS_MAP

exit Exit from MPF policy-map parameter
configuration submode
help Help for MPF policy-map parameter submode
commands
protocol-violation Define actions on protocol violation
quit Exit from MPF policy-map parameter
configuration submode

Advanced DCE/RPC Inspection
asa1(config)#policy-map type inspect dcerpc MY_DCERPC_MAP

endpoint-mapper Configure endpoint-mapper options
. . .
timeout Configure a timeout
Verify conformance, open pinhole, translate,

close pinhole after 2 seconds destination port: 135
IP and port for app A?
App A port X destination port: X

Endpoint
Mapper
client
asa1(config)# policy-map type inspect dcerpc MY_DCERPC_MAP

asa1(config-pmap-p)# endpoint-mapper lookup-operation timeout 0:00:02
 Enables processing of the lookup operation and sets the pinhole timeout to two seconds
Multimedia Support

Why Multimedia Is an Issue
 Multimedia applications behave in

unique ways.
– They use dynamic ports.
TCP or UDP
– They transmit requests using Request
TCP and get responses in
UDP or TCP.
– They use the same port for
source and destination.
 The security appliance:
– Dynamically opens and closes
ports for secure multimedia
connections
– Supports multimedia with or
without NAT Additional
UDP or TCP
high ports
may be opened.

Real Time Streaming Protocol
 RTSP uses one TCP and two  RTSP-TCP-only mode does not
UDP channels. require special handling by the
 Transport options: security appliance.
– RTP  Supported applications:
– RDT – Cisco IP/TV

 Sync or resend channel: – Apple QuickTime 4
– RTCP – RealNetworks:
– UDP resend  RealAudio

 RealPlayer
 RealServer

Standard RTP Mode
Server Client
 In standard RTP mode, RTP uses three 5000 554 2008 3057
Outbound
channels:
5001 TCP: Control 3056
– Control connection (TCP) Setup
– RTP data (simplex UDP) transport = rtp/avp/udp
– RTCP reports (duplex UDP) UDP: RTP Data
 For outbound connections, the security UDP: RTCP Reports
appliance opens inbound ports for RTP
data and RTCP reports.
 For inbound connections, if an ACL exists, Client Server
the security appliance handles standard
RTP mode as follows:
– If outbound traffic is allowed, no 3057 2008 554 5000
Inbound
special handling is required. TCP: Control
3056 5001
– If outbound traffic is not allowed, it Setup
opens outbound ports for RTP and transport = rtp/avp/udp
RTCP.
UDP: RTP Data
UDP: RTCP Reports

RealNetworks RDT Mode
Server Client
 In RealNetworks RDT mode, RTSP uses three
channels:
– Control connection (TCP)
554 Outbound 2008
– UDP data (simplex UDP)
TCP: Control
– UDP resend (simplex UDP)
Setup
 For outbound connections, the security appliance Transport = x-real-rdt/udp
handles RealNetworks RDT mode
as follows: UDP: Data
– If outbound traffic is allowed, it opens an UDP: Resend
inbound port for UDP data.
– If outbound traffic is not allowed, it opens an
inbound port for UDP data and an outbound Client Server
port for UDP resend.
 For inbound connections, if an ACL exists, the
security appliance handles RealNetworks RDT
mode as follows: 2008 Inbound 554
– If outbound traffic is allowed, it opens an TCP: Control

inbound port for UDP resend. Setup
Transport = x-real-rdt/udp
– If outbound traffic is not allowed, it opens an
outbound port for UDP data and an inbound UDP: Data
port for UDP resend.
UDP: Resend

RTSP Inspection
Client Server Server Client
2008 Inbound 554 554 Outbound 2008

TCP: Control TCP: Control
Setup Setup
Transport = x-real-rdt/udp Transport = x-real-rdt/udp
UDP: Data UDP: Data
UDP: Resend UDP: Resend
 By default, the security appliance inspects RTSP connections.

 RTSP dynamically opens UDP connections as required.
 If disabled:
– UDP transport modes are disallowed.
– TCP transport modes are allowed. (TCP connection rules apply.)

H.323 Inspection
H.323 Inspection Advanced H.323 Inspection
Gatekeeper Client  Blocks rogue callers by filtering on

called and calling phone numbers
 Restricts call duration
H.225—Call signal  Tracks protocol state
1720 2008
H.245—Capabilities  Blocks H.323 services such as chat
RTP Sessions and whiteboard while allowing normal
audio and video traffic
RTCP Session  Prevents RAS and H.225 packets from
arriving out of state
 Defines ports for H.323 connections (default  Drops video, audio, or data
= 1720).  Controls H.245 tunneling
 H.323:
 Allows calls to be set up from outside
– Uses signaling channel (H.225/Q.931) endpoints to inside gateways service
– Negotiates endpoint capabilities (H.245) by an HSI
– Opens dynamic media sessions
(RTP/RTCP)
 If disabled, H.323 applications are
disallowed.
Advanced H.323 Inspection
asa1(config)# policy-map type inspect h323 MY_H323_MAP

called-party Match a Called-party
calling-party Match a Calling-party
media-type Match Media type
asa1(config)# policy-map type inspect h323 MY_H323_MAP


call-duration-limit Configure the call duration for H.323 call
call-party-numbers Enforce sending call party numbers during call setup
exit Exit from MPF policy-map parameter configuration submode
h245-tunnel-block Blocking H.245 tunnelling
help Help for MPF policy-map parameter submode commands
hsi-group Define hsi group
quit Exit from MPF policy-map parameter configuration submode
rtp-conformance Check RTP packets flowing on the pin-holes for protocol
conformance
state-checking Enforcing state checking for H.323

SIP Inspection
5060 Outbound 2008

SIP
RTP
RTCP
 Enables SIP
 Default port = 5060
 Enables security appliance to support any SIP VoIP
gateways and VoIP proxies
– Signaling mechanism (SIP)
– Multimedia (RTP, RTCP)

Advanced SIP Inspection
asa1(config)# policy-map type inspect sip MY_SIP_MAP

called-party Match a Called-party as specified in the To header
calling-party Match a Calling-party as specified in the From
header
content Match a SIP Content header
im-subscriber Match SIP IM Subscriber
message-path Match a SIP Via Header
request-method Match a SIP request method
third-party-registration Match the requester of a third-party registration
uri Match a URI in the SIP headers
asa1(config)# policy-map type inspect sip MY_SIP_MAP


im Enable or disable Instant Messaging
ip-address-privacy Enable or disable IP address privacy
max-forwards-validation Check if the value of Max-Forwards header is zero
rtp-conformance Check RTP packets flowing on the pin-holes for
protocol conformance
. . .

SCCP (Skinny) Inspection
SOHO Cisco
CallManager
IP Phone
IP Phone to Cisco CallManager

6058 2000
Cisco CallManager to IP Phone
RTP
RTCP
 Supports SCCP used by Cisco IP phones

 Enables SCCP signaling and media packets to traverse the
security appliance (default port 2000)
 Dynamically opens negotiated ports for media sessions
 Can coexist in an H.323 environment

Advanced Skinny Inspection
asa1(config)# policy-map type inspect skinny MY_SKINNY_MAP

message-id Match StationMessageID field in SCCP messages

mpf-policy-map parameter configuration commands:

enforce-registration Enforce registration before calls can be placed
. . .
 Keypad use Internet

 Speed dial

asa1(config-pmap)# match message-id range 0x03 0x04
asa1(config-pmap-c)# drop log
 Prevents keypad messages from being sent from endpoint
CTIQBE Inspection
SOHO Cisco
Cisco IP SoftPhone CallManager
IP Phone to Cisco CallManager

6058 2748
Cisco CallManager to Cisco IP Phone
RTP
RTCP
 Supports CTIQBE protocol used by Cisco IP SoftPhones for desktop or

laptop PC applications, such as collaboration
 Enables signaling and media packets to traverse the security appliance
(default port 2748)
 Dynamically opens negotiated ports for media sessions
 Support is disabled by default

MGCP Inspection
Call Agent
Media Gateway 10.0.1.5
192.168.1.115
10.0.1.7
Gateway to Call Agent
2427
Call Agent to Gateway
2727
 MGCP inspection inspects messages passing between call agents and

media gateways.
– Port 2427 (port on which gateway receives commands)
– Port 2727 (port on which call agent receives commands)
 MGCP inspection dynamically opens negotiated ports for media sessions.
 With multiple call agents configured, connections are opened for all the call agents
configured for a particular MGCP gateway group.

MGCP Configuration
asa1(config)# policy-map type inspect mgcp MY_MGCP_MAP
mpf-policy-map parameter configuration commands:

call-agent Add a call agent
command-queue Configure a Command Queue
. . .
gateway Add a Gateway
. . .
Call Agent
Media Gateway
10.0.1.5 Group 101
192.168.1.115
Group 101 10.0.1.7 Group 101
Gateway to Call Agent
2427
Call Agent to Gateway
2727
asa1(config)# policy-map type inspect mgcp MY_MGCP_MAP

asa1(config-pmap-p)# call-agent 10.0.1.5 101
asa1(config-pmap-p)# call-agent 10.0.1.7 101
asa1(config-pmap-p)# gateway 192.168.1.115 101
 Specifies two call agents and their group ID; specifies a gateway and its group ID
Summary

Summary
 With the inspect command, you can enable, disable, or enhance the use
of a protocol inspection.
 The security appliance uses special handling for some advanced
protocols: FTP, HTTP, SNMP, and MGCP.
 The security appliance handles such multimedia protocols as RTSP,
RTP, SCCP, SIP, MGCP, and H.323.
 You can change the port value for protocol inspection.
 The class-map type inspect (optional), policy-map type inspect, class-
map, policy-map, and service-policy commands are used to configure
advanced protocol inspection.
 The match command can be used in an inspection class map or an
inspection policy map to identify the traffic on which you want the security
appliance to perform an action.
 Some match commands allow you to identify text in a packet using a
regular expression, which is a pattern to match against an input string.

Lab Visual Objective
Web
FTP
.50
172.26.26.0
.150
Pods 1–5 .1 .1 Pods 6–10
192.168.P.0 RBB 192.168.Q.0

.2
.2
Bastion Host: Bastion Host:
.2 .1 .1 .2
Web ASA ASA Web
FTP 172.16.P.0 172.16.Q.0 FTP
.1 .1
10.0.P.0 10.0.Q.0
.10 .100 .100 .10
Web RTS RTS Web
FTP FTP
Web Web Local: 10.0.Q.11

Local: 10.0.P.11
FTP FTP
Student PC Student PC


SNPA50SL10

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SNPA50SL10

Hochgeladen von

Copyright:

Verfügbare Formate

Advanced Protocol

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-3

TCP S/21- C/2008 TCP S/21- C/2008

Port 2010 OK Port 2010 OK

Security appliance opens

asa1(config)# class-map inspection_default

mpf-class-map mode commands/options:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-5

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-6

asa1(config)# policy-map global_policy

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-7

Adds port 8080 HTTP inspection to the default policy map

asa1(config)# class-map 8080_INSPECT_TRAFFIC

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-9

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-10

Use the following commands to configure advanced

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-11

class-map type inspect application [match-all] class_map_name

asa1(config)#class-map type inspect ?

configure mode commands/options:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-12

mpf-class-map mode commands/options:

asa1(config)#class-map type inspect http POST_METHOD

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-13

asa1(config)#policy-map type inspect ?

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-14

MPF policy-map configuration commands

asa1(config)#policy-map type inspect http MY_HTTP_MAP

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-15

The inspect command applies the inspection policy map to a

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-16

asa1(config)#policy-map type inspect http MY_HTTP_MAP

asa1(config)#policy-map type inspect http MY_HTTP_MAP

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-17

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-18

asa1(config)#regex NEWCLIENT1 New_P2P_Client1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-19

asa1# test regex get "[Gg][Ee][Tt]"

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-21

asa1(config)#class-map type regex match-any NEW_P2P

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-22

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-24

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-25

asa1(config)# policy-map MY_MAP

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-26

asa1(config)#policy-map type inspect ftp MY_FTP_MAP

mpf-policy-map mode commands/options:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-27

asa1(config)# access-list 101 permit TCP any host 192.168.1.11 eq ftp

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-28

asa1(config)#class-map type inspect ftp RESTRICTED_ACCESS

mpf-class-map mode commands/options:

asa1(config)#class-map type inspect ftp RESTRICTED_ACCESS

mpf-class-map mode commands/options:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-29

asa1(config)#regex FTP_USER “root”

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-30

MPF policy-map parameter configuration commands:

asa1(config)# policy-map type inspect ftp MY_FTP_MAP

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-32

 HTTP inspection includes the following: