Cisco ASA Series Cli Configuration Manual page 1121
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring Inspection of Basic Internet Protocols
Before submitting a username and password, all FTP users are presented with a greeting banner. By
default, this banner includes version information useful to hackers trying to identify weaknesses in a
system. The following example shows how to mask this banner:
hostname(config)# policy-map type inspect ftp mymap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# mask-banner
hostname(config)# class-map match-all ftp-traffic
hostname(config-cmap)# match port tcp eq ftp
hostname(config)# policy-map ftp-policy
hostname(config-pmap)# class ftp-traffic
hostname(config-pmap-c)# inspect ftp strict mymap
hostname(config)# service-policy ftp-policy interface inside
Verifying and Monitoring FTP Inspection
FTP application inspection generates the following log messages:
•
•
•
•
•
In conjunction with NAT, the FTP application inspection translates the IP address within the application
payload. This is described in detail in RFC 959.
HTTP Inspection
This section describes the HTTP inspection engine. This section includes the following topics:
•
•
HTTP Inspection Overview
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated
with HTTP traffic. HTTP inspection performs several functions:
•
•
•
An Audit record 303002 is generated for each file that is retrieved or uploaded.
The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands
are logged.
The username is obtained by looking up a table providing the IP address.
The username, source IP address, destination IP address, NAT address, and the file operation are
logged.
Audit record 201005 is generated if the secondary dynamic channel preparation failed due to
memory shortage.
HTTP Inspection Overview, page 1-15
Configuring an HTTP Inspection Policy Map for Additional Inspection Control, page 1-16
Enhanced HTTP inspection
URL screening through N2H2 or Websense
See
Information About URL Filtering, page 1-6
Java and ActiveX filtering
for information.
Cisco ASA Series CLI Configuration Guide
HTTP Inspection
1-15
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
