21-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter21 Managing Zone-based Firewall Rules
Configuring Inspection Maps for Zone-based Firewall Policies
Related Topics
Understanding the Zone-based Firewall Rules, page 21-3
Zone-based Firewall Rules Page, page 21-57
Creating Policy Objects, page 6-9
Understanding Map Objects, page 6-72
Configuring Class Maps for Zone-Based Firewall Policies
Use the Add and Edit Class Map dialog boxes to define class maps to be used in policy maps of the same
type. The name of the dialog box indicates the type of map you are creating.
A class map defines application traffic based on criteria specific to the application. You then select the
class map in the corresponding policy map and configure the action to take for the selected traffic. Thus,
each class map must contain traffic that you want to handle in the same way (for example, to allow it or
to drop it).
When configuring zone-based firewall rules for devices running Cisco IOS Software, you can create
class maps for the following purposes:
For 12.4(6)T and higher, you can create classes for the inspection of the following types of traffic:
H.323, HTTP, IMAP, POP3, SIP, SMTP, and Sun RPC. You can create classes for web filtering using
the following class types: Local, N2H2 (SmartFilter), and WebSense. See the following topics for
information on the match criteria:
H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes, page 21-21
HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes, page 21-21
IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes, page 21-23
SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes, page 21-24
SMTP Class Maps Add or Edit Match Criterion Dialog Boxes, page 21-25
SMTP (Simple
Mail Transfer
Protocol)
12.4(6)
T
SMTP SMTP None Inspect traffic based on data length. See
SMTP Class Maps Add or Edit Match
Criterion Dialog Boxes, page 21-25.
Stun-ice 12.4(9)
T
None None Protocol
Info
You must select a Protocol Info
parameter map to define the DNS
servers used by the traffic you are
inspecting. See Configuring Protocol
Info Parameter Maps, page 21-32.
Sun RPC (Remote
Procedure Call)
12.4(6)
T
Sun
RPC
Sun
RPC
None Inspect traffic based on the RPC
protocol number. See Sun RPC Class
Maps Add or Edit Match Criterion
Dialog Boxes, page 21-28.
Table21-2 Policy Objects for Zone-based Firewall Inspection Rules (Continued)
Protocol
Minimu
m IOS
Softwar
e
Versio n
Policy
Map
Class
Map
Paramet
er Map
Description and Match Criteria
Reference