Cisco 7604 Configuration Guide - Page 423
match, match default-inspection-traffic, access-list, policy-map, type inspect
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 423 highlights
Chapter 22 Applying Application Layer Protocol Inspection Configuring Application Inspection See Chapter 20, "Using Modular Policy Framework," for more information about Modular Policy Framework. Inspection is enabled by default for some applications. See the "Default Inspection Policy" section on page 22-4 section for more information. Use this section to modify your inspection policy. To configure application inspection, perform the following steps: Step 1 Step 2 To identify the traffic to which you want to apply inspections, add a Layer 3/4 class map. See the "Identifying Traffic (Layer 3/4 Class Map)" section on page 20-4 for detailed information. The default Layer 3/4 class map for through traffic is called "inspection_default." It matches traffic using a special match command, match default-inspection-traffic, to match the default ports for each application protocol. You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic to specific IP addresses. Because the match default-inspection-traffic command specifies the ports to match, any ports in the access list are ignored. If you want to match non-standard ports, then you need to create a new class map for the non-standard ports. See the "Default Inspection Policy" section on page 22-4 for the standard ports for each inspection engine. You can combine multiple class maps in the same policy if desired, so you can create one class map to match certain traffic, and another to match different traffic. However, if traffic matches a class map that contains an inspection command, and then matches another class map that also has an inspection command, only the first matching class is used. For example, SNMP matches the inspection_default class. To enable SNMP inspection, enable SNMP inspection for the default class in Step 5. Do not add another class that matches SNMP. For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter the following commands: hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 hostname(config)# class-map inspection_default hostname(config-cmap)# match access-list inspect View the entire class map using the following command: hostname(config-cmap)# show running-config class-map inspection_default ! class-map inspection_default match default-inspection-traffic match access-list inspect ! To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies the ports, and assign it to a new class map: hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21 hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056 hostname(config)# class-map new_inspection hostname(config-cmap)# match access-list ftp_inspect (Optional) Some inspection engines let you control additional parameters when you apply the inspection to the traffic. See the following sections to configure either an inspection policy map or an application map for your application. Both inspection policy maps and application maps let you customize the inspection engine. Inspection policy maps use Modular Policy Framework commands like policy-map type inspect, and others. Application maps use commands in the form protocol-map. • DCERPC-See the "Configuring a DCERPC Inspection Policy Map for Additional Inspection Control" section on page 22-17. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-7