42-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter42 Getting Started with Application Layer Protocol Inspection
Configuring Application Layer Protocol Inspection
Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you
inspect all traffic, for example using match any, the ASA performance can be impacted.
If you want to match non-standard ports, then create a new class map for the non-standard ports. See the
“Default Settings” section on page 42-4 for the standard ports for each inspection engine. You can
combine multiple class maps in the same policy if desired, so you can create one class map to match
certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class. To enable SNMP inspection, enable SNMP inspection for the default class in Step 5. Do not add
another class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter
the following commands:
hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
View the entire class map using the following command:
hostname(config-cmap)# show running-config class-map inspection_default
!
class-map inspection_default
match default-inspection-traffic
match access-list inspect
!
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies
the ports, and assign it to a new class map:
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056
hostname(config)# class-map new_inspection
hostname(config-cmap)# match access-list ftp_inspect
Step2 (Optional) Some inspection engines let you control additional parameters when you apply the inspection
to the traffic. See the following sections to configure an inspection policy map for your application:
DCERPC—See the “Configuring a DCERPC Inspection Policy Map for Additional Inspection
Control” section on page 46-2
DNS—See the “Configuring a DNS Inspection Policy Map for Additional Inspection Control”
section on page 43-7
ESMTP—See the “Configuring an ESMTP Inspection Policy Map for Additional Inspection
Control” section on page 43-32
FTP—See the “Configuring an FTP Inspection Policy Map for Additional Inspection Control”
section on page 43-12.
GTP—See the “Configuring a GTP Inspection Policy Map for Additional Inspection Control”
section on page 46-4.
H323—See the “Configuring an H.323 Inspection Policy Map for Additional Inspection Control”
section on page 44-6
HTTP—See the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control”
section on page 43-17.