42-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter42 Getting Started with Application Layer Protocol Inspectio n
Configuring Application Layer Protocol Inspection
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Configuring Application Layer Protocol Inspection
This feature uses Modular Policy Framework to create a service policy. Service policies provide a
consistent and flexible way to configure ASA features. For example, you can use a service policy to
create a timeout configuration that is specific to a particular TCP application, as opposed to one that
applies to all TCP applications. See Chapter32, “Configuring a Service Policy Using the Modular Policy
Framework,” for more information. For some applications, you can perform special actions when you
enable inspection. See Chapter 32, “Configuring a Service Policy Using the Modular Policy
Framework,” for more information.
Inspection is enabled by default for some applications. See the “Default Settings” section for more
information. Use this section to modify your inspection policy.
Detailed Steps
Step1 To identify the traffic to which you want to apply inspections, add either a Layer 3/4 class map for
through traffic or a Layer 3/4 class map for management traffic. See the “Creating a Layer 3/4 Class Map
for Through Traffic” section on page32-12 and “Creating a Layer 3/4 Class Map for Management
Traffic” section on page32-14 for detailed information. The management Layer 3/4 class map can be
used only with the RADIUS accounting inspection.
The default Layer 3/4 class map for through traffic is called “inspection_default.” It matches traffic using
a special match command, match default-inspection-traffic, to match the default ports for each
application protocol. This traffic class (along with match any, which is not typically used for inspection)
matches both IPv4 and IPv6 traffic for inspections that support IPv6. See the “Guidelines and
Limitations” section on page42-3 for a list of IPv6-enabled inspections.
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the match
default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.