Pages

Sunday, December 20, 2015

MPF(Modular Policy Framework)

Modular Policy Framework

CPS:
Class-map: Identify traffic
Policy-map: Specify Action for that traffic
Service Policy: Where on ASA you want to apply it. Also, we have option for Global-policy

CLI for implementing Application Inspection L3/L4 :

Example :
Let's allow host to dynamically connect to ftp server and inspect ftp

#create access-list
access-list dmz_mpc permit tcp any any eq ftp

#Identity the traffic
class-map FTP-Class-MAp
    match access-list dmz_mpc

#Take action on that traffic
policy-map FTP-Policy-MAP
    class FTP-Class-MAP
    inspect ftp
This will inspect the control channel between host and ftp server

#where to apply
service-policy FTP-Policy-MAP interface dmz

To verify lets transfer some files using ftp
On ASA
show conn

To check MPF config on ASDM:

Config -> Firewall -> service policy rules

show run class-map
by default, there will be default-inspection-traffic

default-inspection-traffic is a pre-defined list of ports, services, and application that Cisco is looking for by default.

show run policy-map
display default policies

we can delete default policy

show run service-policy
we can also apply service-policy globally

CLI for implementing QOS :

priority-queue inside

class-map VOIP
    match dscp 46 : dscp bits 46 is EF

class-map TELNET
    match port tcp eq telnet

policy-map inside-policy
    CLASS VOIP
       priority
    Class TELNET
        police output 8000 1500 confirm-action transmit exceed-action drop

service-policy inside-policy interface inside

Note: prioritize of traffic is always outbound. Policing can be inbound or outbound.

CLI for implementing for connection settings
class-map TCP-sessions
    match port tcp range 1 65000

policy-map Conn-Limits
    class TCP-sessions
        set connection conn-max 500 embryonic-conn-max 50
        set connection timeout embryonic 0:05:00 half-closed 0:10:00

service-policy Conn-Limits interface outside

Note: Unlike CLI, on ASDM first we configure service rule then class and finally policy map

Config -> Firewall -> service policy rules -> Add

Note: inspection can be inbound or outbound, QOS, prioritize always outbound and policing can be inbound or outbound

TCP and UDP are by default therein Inspection list but icmp is not.






No comments:

Post a Comment