[OSL | CCIE_Security] ASA MPF's queries

Kingsley Charles Mon, 12 Apr 2010 01:11:10 -0700

Hi all

I have two queries with ASA's MPF


*Query 1*



hostname(config)# *class-map http_traffic*

hostname(config-cmap)# *match port tcp eq 80*



hostname(config)# *policy-map outside_policy*

hostname(config-pmap)# *class inspection_default*

hostname(config-pmap-c)# *inspect http http_map*

hostname(config-pmap-c)# *inspect sip*

hostname(config-pmap)# *class http_traffic*

hostname(config-pmap-c)# *set connection timeout tcp 0:10:0***


In the above given configuration, the class inspection_default is configured
for http inspection. All the http traffic will match this rule.
Below you can see "set connection" applied to class http_traffic that
matches port 80. Will this work?

All the http traffic will match class inspection_default and how will http
traffic again match against class http_traffic?


 *Query 2*


hostname(config)# class-map im_inspect_class_map

hostname(config-cmap)# match default-inspection-traffic


hostname(config)# policy-map type inspect im im_policy_all

hostname(config-pmap)# class yahoo_file_block_list

hostname(config-pmap-c)# match service file-transfer

hostname(config-pmap)# class yahoo_im_policy

hostname(config-pmap-c)# drop-connection

hostname(config-pmap)# class yahoo_im_policy2

hostname(config-pmap-c)# reset

hostname(config)# policy-map global_policy_name

hostname(config-pmap)# class im_inspect_class_map

hostname(config-pmap-c)# inspect im im_policy_all

*match default-inspection-traffic.* What does
*default-inspection-traffic *match. Does it match any traffic or only
the

ports that the ASA can inspect.



If you check in ASA, the *default-inspection-traffic *does not have a
por defined for IM.

asa/king(config-cmap)# match ?

mpf-class-map mode commands/options:
  access-list                 Match an Access List
  any                         Match any packet
  default-inspection-traffic  Match default inspection traffic:
                              ctiqbe----tcp--2748      dns-------udp--53
                              ftp-------tcp--21        gtp-------udp--2123,3386
                              h323-h225-tcp--1720      h323-ras--udp--1718-1719
                              http------tcp--80        icmp------icmp
                              ils-------tcp--389       mgcp------udp--2427,2727
                              netbios---udp--137-138   radius-acct---udp--1646
                              rpc-------udp--111       rsh-------tcp--514
                              rtsp------tcp--554       sip-------tcp--5060
                              sip-------udp--5060      skinny----tcp--2000
                              smtp------tcp--25        sqlnet----tcp--1521
                              tftp------udp--69        waas------tcp--1-65535
                              xdmcp-----udp--177

If it doesn't have a port for IM, how will it be inspected?




With regards
Kings

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

[OSL | CCIE_Security] ASA MPF's queries

Reply via email to