Pptp Inspection; Smtp And Extended Smtp Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 13
Inspection of Basic Internet Protocols
hostname(config-class)# inspect netbios netbios-map
Note
Step 5
If you are editing an existing service policy (such as the default global policy called global_policy), you
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy policymap_name {global | interface interface_name}
Example:
hostname(config)# service-policy global_policy global
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
PPTP Inspection
PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and
usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and
managing the PPTP GRE tunnels. The GRE tunnels carry PPP sessions between the two hosts.
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the
GRE connections and xlates necessary to permit PPTP traffic.
Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response
sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP
control channel is disabled if the version announced by either side is not Version 1. In addition, the
outgoing-call request and reply sequence are tracked. Connections and xlates are dynamically allocated
as necessary to permit subsequent secondary GRE data traffic.
The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT
is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP
TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and
RFC 1702).
For information on enabling PPTP inspection, see
page
SMTP and Extended SMTP Inspection
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer
overflow/underflow attacks. It also provides support for application security and protocol conformance,
which enforce the sanity of the ESMTP messages as well as detect several attacks, block
senders/receivers, and block mail relay.
The following sections describe the ESMTP inspection engine.
•
If you are editing the default global policy (or any in-use policy) to use a different NetBIOS
inspection policy map, you must remove the NetBIOS inspection with the no inspect skinny
command, and then re-add it with the new NetBIOS inspection policy map name.
12-9.
SMTP and ESMTP Inspection Overview, page 13-40
Configure Application Layer Protocol Inspection,
Cisco ASA Series Firewall CLI Configuration Guide
PPTP Inspection
13-39
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
