Cisco FirePOWER ASA 5500 series Configuration Manual page 424
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Application Inspection
match access-list inspect
!
To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies
the ports, and assign it to a new class map:
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21
hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056
hostname(config)# class-map new_inspection
hostname(config-cmap)# match access-list ftp_inspect
(Optional) Some inspection engines let you control additional parameters when you apply the inspection
Step 2
to the traffic. See the following sections to configure an inspection policy map for your application:
DCERPC—See the
•
Control" section on page 25-12
DNS—See the
•
section on page 25-20
ESMTP—See the
•
Control" section on page 25-24
FTP—See the
•
section on page
GTP—See the
•
section on page
H323—See the
•
section on page 25-38
HTTP—See the
•
section on page
Instant Messaging—See the
•
Additional Inspection Control" section on page 25-48
MGCP—See the
•
section on page
NetBIOS—See the
•
Control" section on page 25-57
RADIUS Accounting—See the
•
Inspection Control" section on page 25-59
SIP—See the
•
on page 25-63
Skinny—See the
•
Control" section on page 25-69
SNMP—See the
•
To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the
Step 3
following command:
hostname(config)# policy-map name
hostname(config-pmap)#
The default policy map is called "global_policy." This policy map includes the default inspections listed
in the
example, to add or delete an inspection, or to identify an additional class map for your actions), then
enter global_policy as the name.
Cisco Security Appliance Command Line Configuration Guide
25-6
"Configuring a DCERPC Inspection Policy Map for Additional Inspection
"Configuring a DNS Inspection Policy Map for Additional Inspection Control"
"Configuring an ESMTP Inspection Policy Map for Additional Inspection
"Configuring an FTP Inspection Policy Map for Additional Inspection Control"
25-27.
"Configuring a GTP Inspection Policy Map for Additional Inspection Control"
25-32.
"Configuring an H.323 Inspection Policy Map for Additional Inspection Control"
"Configuring an HTTP Inspection Policy Map for Additional Inspection Control"
25-44.
"Configuring an MGCP Inspection Policy Map for Additional Inspection Control"
25-54.
"Configuring a NetBIOS Inspection Policy Map for Additional Inspection
"Configuring a SIP Inspection Policy Map for Additional Inspection Control" section
"Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection
"SNMP Inspection" section on page
"Default Inspection Policy" section on page
Chapter 25
"Configuring an Instant Messaging Inspection Policy Map for
"Configuring a RADIUS Inspection Policy Map for Additional
25-72.
25-3. If you want to modify the default policy (for
Configuring Application Layer Protocol Inspection
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
