Cisco ASA Series Cli Configuration Manual page 1101

Chapter 1 Getting Started with Application Layer Protocol Inspection
Configuring Application Layer Protocol Inspection
This feature uses Modular Policy Framework to create a service policy. Service policies provide a
consistent and flexible way to configure ASA features. For example, you can use a service policy to
create a timeout configuration that is specific to a particular TCP application, as opposed to one that
applies to all TCP applications. See
Framework,"
enable inspection. See
for more information.
Inspection is enabled by default for some applications. See the
information. Use this section to modify your inspection policy.
Detailed Steps
Step 1
To identify the traffic to which you want to apply inspections, add either a Layer 3/4 class map for
through traffic or a Layer 3/4 class map for management traffic. See the
for Through Traffic" section on page 1-12
Traffic" section on page 1-15
only with the RADIUS accounting inspection.
The default Layer 3/4 class map for through traffic is called "inspection_default." It matches traffic using
a special match command, match default-inspection-traffic, to match the default ports for each
application protocol. This traffic class (along with match any, which is not typically used for inspection)
matches both IPv4 and IPv6 traffic for inspections that support IPv6. See the
Limitations" section on page 1-3
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the match
default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored.
Tip
If you want to match non-standard ports, then create a new class map for the non-standard ports. See the
"Default Settings" section on page 1-4
combine multiple class maps in the same policy if desired, so you can create one class map to match
certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class. To enable SNMP inspection, enable SNMP inspection for the default class in
another class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter
the following commands:
hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
View the entire class map using the following command:
hostname(config-cmap)# show running-config class-map inspection_default
!
for more information. For some applications, you can perform special actions when you
Chapter 1, "Configuring a Service Policy Using the Modular Policy Framework,"
for detailed information. The management Layer 3/4 class map can be used
for a list of IPv6-enabled inspections.
We suggest that you only inspect traffic on ports on which you expect application traffic; if you
inspect all traffic, for example using match any, the ASA performance can be impacted.
Configuring Application Layer Protocol Inspection
Chapter 1, "Configuring a Service Policy Using the Modular Policy
and "Creating a Layer 3/4 Class Map for Management
for the standard ports for each inspection engine. You can
Cisco ASA Series CLI Configuration Guide
"Default Settings" section for more
"Creating a Layer 3/4 Class Map
"Guidelines and
Step 5. Do not add
1-7