Enabling Application Inspection Using the Modular Policy Framework
Cisco ASA provides a Modular Policy Framework (MPF) to provide application security or to perform quality of service (QoS) functions. MPF provides a consistent and flexible way to configure the Cisco ASA application inspection and other features in a manner similar to the Cisco IOS Software Modular QoS CLI.
Note
Chapter 12, "Quality of Service," covers the QoS functionality in detail.
As a general rule, the provisioning of inspection policies requires the following steps:
- Configure traffic classes to identify interesting traffic.
- Associate actions to each traffic class to create policies.
- Activate the policies on an interface.
These policy provisioning steps can be completed using these three main commands of the MPF:
- class-map Classifies the traffic that will be inspected. Various types of match criteria in a class map can be used to classify traffic. The primary criterion is the use of an access control list (ACL). Example 8-1 demonstrates this.
- policy-map Configures security or QoS policies. A policy consists of a class command and its associated actions. Additionally, a policy map can contain multiple policies.
- service-policy Activates a policy map globally (on all interfaces) or on a targeted interface.
Example 8-1. Matching Specific Traffic Using an ACL
Chicago(config)# access-list udptraffic permit udp any any Chicago(config)# class-map UDPclass Chicago(config-cmap)# match access-list udptraffic Chicago(config-cmap)# exit Chicago(config)# policy-map udppolicy Chicago(config-pmap)# class UDPclass Chicago(config-pmap-c)# inspect tftp Chicago(config-pmap-c)# exit Chicago(config-pmap)# exit Chicago(config)# service-policy udppolicy global
In Example 8-1, an ACL named udptraffic is configured to identify all UDP traffic. This ACL is then applied to a class map named UDPclass.
A policy map named udppolicy is configured that has the class map UDPclass mapped to it. The policy map is set up to inspect all TFTP traffic from the UDP packets that are being classified in the class map. Finally, the service policy is applied globally.
The security appliance contains a default class map named inspection_default and a policy map named asa_global_fw_policy. Example 8-2 shows the default class map and policy map in the Cisco ASA.
Example 8-2. Default Class and Policy Maps
class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global