Chapter 22
Applying Application Layer Protocol Inspection
See
Chapter 20, "Using Modular Policy Framework,"
Framework.
Inspection is enabled by default for some applications. See the
page 22-4
To configure application inspection, perform the following steps:
To identify the traffic to which you want to apply inspections, add a Layer 3/4 class map. See the
Step 1
"Identifying Traffic (Layer 3/4 Class Map)" section on page 20-4
The default Layer 3/4 class map for through traffic is called "inspection_default." It matches traffic using
a special match command, match default-inspection-traffic, to match the default ports for each
application protocol.
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the match
default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.
If you want to match non-standard ports, then you need to create a new class map for the non-standard
ports. See the
engine. You can combine multiple class maps in the same policy if desired, so you can create one class
map to match certain traffic, and another to match different traffic. However, if traffic matches a class
map that contains an inspection command, and then matches another class map that also has an
inspection command, only the first matching class is used. For example, SNMP matches the
inspection_default class. To enable SNMP inspection, enable SNMP inspection for the default class in
Step
5. Do not add another class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter
the following commands:
hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
View the entire class map using the following command:
hostname(config-cmap)# show running-config class-map inspection_default
!
class-map inspection_default
match default-inspection-traffic
match access-list inspect
!
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies
the ports, and assign it to a new class map:
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056
hostname(config)# class-map new_inspection
hostname(config-cmap)# match access-list ftp_inspect
(Optional) Some inspection engines let you control additional parameters when you apply the inspection
Step 2
to the traffic. See the following sections to configure either an inspection policy map or an application
map for your application. Both inspection policy maps and application maps let you customize the
inspection engine. Inspection policy maps use Modular Policy Framework commands like policy-map
type inspect, and others. Application maps use commands in the form protocol-map.
DCERPC—See the
•
Control" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
section for more information. Use this section to modify your inspection policy.
"Default Inspection Policy" section on page 22-4
"Configuring a DCERPC Inspection Policy Map for Additional Inspection
22-17.
Configuring Application Inspection
for more information about Modular Policy
"Default Inspection Policy" section on
for detailed information.
for the standard ports for each inspection
22-7