Enabling Application Inspection Using the Modular Policy Framework

Cisco ASA provides a Modular Policy Framework (MPF) to provide application security or to perform quality of service (QoS) functions. MPF provides a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to the Cisco IOS Software Modular QoS CLI.

Note

Chapter 12, "Quality of Service," covers the QoS functionality in detail.

As a general rule, the provisioning of inspection policies requires the following steps:

  1. Configure traffic classes to identify interesting traffic.
  2. Associate actions to each traffic class to create policies.
  3. Activate the policies on an interface.

These policy provisioning steps can be completed using these three main commands of the MPF:

Example 8-1. Matching Specific Traffic Using an ACL

Chicago(config)# access-list udptraffic permit udp any any Chicago(config)# class-map UDPclass Chicago(config-cmap)# match access-list udptraffic Chicago(config-cmap)# exit Chicago(config)# policy-map udppolicy Chicago(config-pmap)# class UDPclass Chicago(config-pmap-c)# inspect tftp Chicago(config-pmap-c)# exit Chicago(config-pmap)# exit Chicago(config)# service-policy udppolicy global

In Example 8-1, an ACL named udptraffic is configured to identify all UDP traffic. This ACL is then applied to a class map named UDPclass.

A policy map named udppolicy is configured that has the class map UDPclass mapped to it. The policy map is set up to inspect all TFTP traffic from the UDP packets that are being classified in the class map. Finally, the service policy is applied globally.

The security appliance contains a default class map named inspection_default and a policy map named asa_global_fw_policy. Example 8-2 shows the default class map and policy map in the Cisco ASA.

Example 8-2. Default Class and Policy Maps

class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global

Категории