Modular Policy Framework
CPS:
Class-map: Identify traffic
Policy-map: Specify Action for that traffic
Service Policy: Where on ASA you want to apply it. Also, we have option for Global-policy
CLI for implementing Application Inspection L3/L4 :
Example :
Let's allow host to dynamically connect to ftp server and inspect ftp
#create access-list
access-list dmz_mpc permit tcp any any eq ftp
#Identity the traffic
class-map FTP-Class-MAp
match access-list dmz_mpc
#Take action on that traffic
policy-map FTP-Policy-MAP
class FTP-Class-MAP
inspect ftp
This will inspect the control channel between host and ftp server
#where to apply
service-policy FTP-Policy-MAP interface dmz
To verify lets transfer some files using ftp
On ASA
show conn
To check MPF config on ASDM:
Config -> Firewall -> service policy rules
show run class-map
by default, there will be default-inspection-traffic
default-inspection-traffic is a pre-defined list of ports, services, and application that Cisco is looking for by default.
show run policy-map
display default policies
we can delete default policy
show run service-policy
we can also apply service-policy globally
CLI for implementing QOS :
priority-queue inside
class-map VOIP
match dscp 46 : dscp bits 46 is EF
class-map TELNET
match port tcp eq telnet
policy-map inside-policy
CLASS VOIP
priority
Class TELNET
police output 8000 1500 confirm-action transmit exceed-action drop
service-policy inside-policy interface inside
Note: prioritize of traffic is always outbound. Policing can be inbound or outbound.
CLI for implementing for connection settings
class-map TCP-sessions
match port tcp range 1 65000
policy-map Conn-Limits
class TCP-sessions
set connection conn-max 500 embryonic-conn-max 50
set connection timeout embryonic 0:05:00 half-closed 0:10:00
service-policy Conn-Limits interface outside
Note: Unlike CLI, on ASDM first we configure service rule then class and finally policy map
Config -> Firewall -> service policy rules -> Add
Note: inspection can be inbound or outbound, QOS, prioritize always outbound and policing can be inbound or outbound
TCP and UDP are by default therein Inspection list but icmp is not.
CPS:
Class-map: Identify traffic
Policy-map: Specify Action for that traffic
Service Policy: Where on ASA you want to apply it. Also, we have option for Global-policy
CLI for implementing Application Inspection L3/L4 :
Example :
Let's allow host to dynamically connect to ftp server and inspect ftp
#create access-list
access-list dmz_mpc permit tcp any any eq ftp
#Identity the traffic
class-map FTP-Class-MAp
match access-list dmz_mpc
#Take action on that traffic
policy-map FTP-Policy-MAP
class FTP-Class-MAP
inspect ftp
This will inspect the control channel between host and ftp server
#where to apply
service-policy FTP-Policy-MAP interface dmz
To verify lets transfer some files using ftp
On ASA
show conn
To check MPF config on ASDM:
Config -> Firewall -> service policy rules
show run class-map
by default, there will be default-inspection-traffic
default-inspection-traffic is a pre-defined list of ports, services, and application that Cisco is looking for by default.
show run policy-map
display default policies
we can delete default policy
show run service-policy
we can also apply service-policy globally
CLI for implementing QOS :
priority-queue inside
class-map VOIP
match dscp 46 : dscp bits 46 is EF
class-map TELNET
match port tcp eq telnet
policy-map inside-policy
CLASS VOIP
priority
Class TELNET
police output 8000 1500 confirm-action transmit exceed-action drop
service-policy inside-policy interface inside
Note: prioritize of traffic is always outbound. Policing can be inbound or outbound.
CLI for implementing for connection settings
class-map TCP-sessions
match port tcp range 1 65000
policy-map Conn-Limits
class TCP-sessions
set connection conn-max 500 embryonic-conn-max 50
set connection timeout embryonic 0:05:00 half-closed 0:10:00
service-policy Conn-Limits interface outside
Note: Unlike CLI, on ASDM first we configure service rule then class and finally policy map
Config -> Firewall -> service policy rules -> Add
Note: inspection can be inbound or outbound, QOS, prioritize always outbound and policing can be inbound or outbound
TCP and UDP are by default therein Inspection list but icmp is not.
No comments:
Post a Comment