Re: [OSL | CCIE_Security] ASA MPF's queries

[Tyson Scott]

OK I was just more curious than anything.  I think I have already answered
your questions in my previous email.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: Kingsley Charles [mailto:kingsley.char...@gmail.com] 
Sent: Monday, April 12, 2010 9:16 AM
To: Tyson Scott
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] ASA MPF's queries

 

These are my questions :-)

 

Samples configs are from CCIE docs.

 

With regards

Kings

On Mon, Apr 12, 2010 at 6:41 PM, Tyson Scott <tsc...@ipexpert.com> wrote:

Are these questions from Yusuf's labs because I can't think of where they
are in our workbooks?

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/> 

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Monday, April 12, 2010 4:11 AM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] ASA MPF's queries

 

Hi all

 

I have two queries with ASA's MPF

 

Query 1

 

 

hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80

 

hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# set connection timeout tcp 0:10:0

 

In the above given configuration, the class inspection_default is configured
for http inspection. All the http traffic will match this rule.

Below you can see "set connection" applied to class http_traffic that
matches port 80. Will this work? 

 

All the http traffic will match class inspection_default and how will http
traffic again match against class http_traffic?

 

 

 Query 2

 

hostname(config)# class-map im_inspect_class_map
hostname(config-cmap)# match default-inspection-traffic
 
hostname(config)# policy-map type inspect im im_policy_all
hostname(config-pmap)# class yahoo_file_block_list
hostname(config-pmap-c)# match service file-transfer
hostname(config-pmap)# class yahoo_im_policy
hostname(config-pmap-c)# drop-connection
hostname(config-pmap)# class yahoo_im_policy2
hostname(config-pmap-c)# reset
hostname(config)# policy-map global_policy_name
hostname(config-pmap)# class im_inspect_class_map
hostname(config-pmap-c)# inspect im im_policy_all
match default-inspection-traffic. What does default-inspection-traffic
match. Does it match any traffic or only the 
ports that the ASA can inspect.
 
If you check in ASA, the default-inspection-traffic does not have a por
defined for IM.
asa/king(config-cmap)# match ?
mpf-class-map mode commands/options:






  access-list                 Match an Access List













  any                         Match any packet






  default-inspection-traffic  Match default inspection traffic: 






                              ctiqbe----tcp--2748      dns-------udp--53







                              ftp-------tcp--21
gtp-------udp--2123,3386













                              h323-h225-tcp--1720
h323-ras--udp--1718-1719






                              http------tcp--80        icmp------icmp







                              ils-------tcp--389
mgcp------udp--2427,2727













                              netbios---udp--137-138
radius-acct---udp--1646






                              rpc-------udp--111       rsh-------tcp--514







                              rtsp------tcp--554       sip-------tcp--5060














                              sip-------udp--5060      skinny----tcp--2000







                              smtp------tcp--25        sqlnet----tcp--1521







                              tftp------udp--69
waas------tcp--1-65535  













                              xdmcp-----udp--177      
If it doesn't have a port for IM, how will it be inspected?
 

 

With regards

Kings

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com