Selective Inspection
As previously mentioned, the match command allows you to specify what traffic the Cisco ASA inspection engine will process. It can be used in conjunction with an ACL to determine what traffic will be inspected. Example 8-3 shows all the supported options for traffic classification in a class map named UDPclass.
Example 8-3. Supported Traffic Classification Options
Chicago(config)# class-map UDPclass Chicago(config-cmap)# match ? mpf-class-map mode commands/options: access-list Match an Access List any Match any packet default-inspection-traffic Match default inspection traffic: ctiqbe----tcp--2748 dns-------udp--53 ftp-------tcp--21 gtp-------udp--2123,3386 h323-h225-tcp--1720 h323-ras--udp--1718-1719 http------tcp--80 icmp------icmp ils-------tcp--389 mgcp------udp--2427,2727 netbios---udp--137138 rpc-------udp--111 rsh-------tcp--514 rtsp------tcp--554 sip-------tcp--5060 sip-------udp--5060 skinny----tcp--2000 smtp------tcp--25 sqlnet----tcp--1521 tftp------udp--69 xdmcp-----udp--177 dscp Match IP DSCP (DiffServ CodePoints) flow Flow based Policy port Match TCP/UDP port(s) precedence Match IP precedence rtp Match RTP port numbers tunnel-group Match a Tunnel Group
Table 8-2 lists briefly describes all the options supported by the match command.
|
Option |
Description |
|---|---|
|
access-list |
Specifies an ACL used to match or classify the traffic to be inspected. |
|
any |
Any IP traffic. |
|
default-inspection-traffic |
The default entry for inspection of the supported protocols. This match applies only to the inspect command. It cannot be associated with any action commands but inspect. |
|
dscp |
Matches based on IP DSCP (DiffServ CodePoints). |
|
flow |
Used for flow-based policy. |
|
port |
Used to match TCP and/or UDP ports. |
|
precedence |
Matches based on IP Precedence value represented by the TOS byte in the IP header. The precedence value can be in a range from 0 to 7. |
|
rtp |
Matches Real Time Protocol (RTP) port numbers. |
|
tunnel-group |
Matches VPN traffic of a specific tunnel group. |
Note
Details on matching traffic based on DSCP, flow, precedence, and tunnel group are covered in Chapter 12.
To display statistics on the traffic being inspected on the Cisco ASA, use the show service-policy command. Example 8-4 shows the output of this command.
Example 8-4. Output of show service-policy Command
Chicago# show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns maximum-length 512, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 24, drop 0, reset-drop 0 Inspect: h323 h225, packet 0, drop 0, reset-drop 0 Inspect: h323 ras, packet 0, drop 0, reset-drop 0 Inspect: netbios, packet 10, drop 0, reset-drop 0 Inspect: rsh, packet 0, drop 0, reset-drop 0 Inspect: rtsp, packet 0, drop 0, reset-drop 0 Inspect: skinny, packet 0, drop 0, reset-drop 0 Inspect: esmtp, packet 54, drop 0, reset-drop 0 Inspect: sqlnet, packet 0, drop 0, reset-drop 0 Inspect: sunrpc, packet 0, drop 0, reset-drop 0 Inspect: tftp, packet 0, drop 0, reset-drop 0 Inspect: sip, packet 0, drop 0, reset-drop 0 Inspect: xdmcp, packet 0, drop 0, reset-drop 0
The following sections include information about each application inspection protocol supported on Cisco ASA.