1. Refer to the following URL for MPF order of operation. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.h tml#wp1091561 <http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf. html>
2. Here are the default inspection policies for IM. Remember there is a lot that is not shown in the standard running configuration ASA/A1/act(config)# sh run all class-map ! class-map type inspect http match-all _default_gator match request header user-agent regex _default_gator class-map type inspect http match-all _default_msn-messenger match response header content-type regex _default_msn-messenger class-map type inspect http match-all _default_yahoo-messenger match request body regex _default_yahoo-messenger class-map type inspect http match-all _default_windows-media-player-tunnel match request header user-agent regex _default_windows-media-player-tunnel class-map type inspect http match-all _default_gnu-http-tunnel match request args regex _default_gnu-http-tunnel_arg match request uri regex _default_gnu-http-tunnel_uri class-map type inspect http match-all _default_firethru-tunnel match request header host regex _default_firethru-tunnel_1 match request uri regex _default_firethru-tunnel_2 class-map type inspect http match-all _default_aim-messenger match request header host regex _default_aim-messenger class-map type inspect http match-all _default_http-tunnel match request uri regex _default_http-tunnel class-map type inspect http match-all _default_kazaa match response header regex _default_x-kazaa-network count gt 0 class-map type inspect http match-all _default_shoutcast-tunneling-protocol match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol class-map class-default match any class-map inspection_default match default-inspection-traffic class-map BGP_Authentication match access-list BGP class-map type inspect http match-all _default_GoToMyPC-tunnel match request args regex _default_GoToMyPC-tunnel match request uri regex _default_GoToMyPC-tunnel_2 class-map type inspect http match-all _default_httport-tunnel match request header host regex _default_httport-tunnel ! ASA/A1/act(config)# Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, April 12, 2010 4:11 AM To: [email protected] Subject: [OSL | CCIE_Security] ASA MPF's queries Hi all I have two queries with ASA's MPF Query 1 hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map outside_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect http http_map hostname(config-pmap-c)# inspect sip hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# set connection timeout tcp 0:10:0 In the above given configuration, the class inspection_default is configured for http inspection. All the http traffic will match this rule. Below you can see "set connection" applied to class http_traffic that matches port 80. Will this work? All the http traffic will match class inspection_default and how will http traffic again match against class http_traffic? Query 2 hostname(config)# class-map im_inspect_class_map hostname(config-cmap)# match default-inspection-traffic hostname(config)# policy-map type inspect im im_policy_all hostname(config-pmap)# class yahoo_file_block_list hostname(config-pmap-c)# match service file-transfer hostname(config-pmap)# class yahoo_im_policy hostname(config-pmap-c)# drop-connection hostname(config-pmap)# class yahoo_im_policy2 hostname(config-pmap-c)# reset hostname(config)# policy-map global_policy_name hostname(config-pmap)# class im_inspect_class_map hostname(config-pmap-c)# inspect im im_policy_all match default-inspection-traffic. What does default-inspection-traffic match. Does it match any traffic or only the ports that the ASA can inspect. If you check in ASA, the default-inspection-traffic does not have a por defined for IM. asa/king(config-cmap)# match ? mpf-class-map mode commands/options: access-list Match an Access List any Match any packet default-inspection-traffic Match default inspection traffic: ctiqbe----tcp--2748 dns-------udp--53 ftp-------tcp--21 gtp-------udp--2123,3386 h323-h225-tcp--1720 h323-ras--udp--1718-1719 http------tcp--80 icmp------icmp ils-------tcp--389 mgcp------udp--2427,2727 netbios---udp--137-138 radius-acct---udp--1646 rpc-------udp--111 rsh-------tcp--514 rtsp------tcp--554 sip-------tcp--5060 sip-------udp--5060 skinny----tcp--2000 smtp------tcp--25 sqlnet----tcp--1521 tftp------udp--69 waas------tcp--1-65535 xdmcp-----udp--177 If it doesn't have a port for IM, how will it be inspected? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
