MPF confusion

Answered Question
Oct 28th, 2009

I have so many questions about MPF inspect maps I don't know where to start. I'm going to ask a simple question that will probably induce 100 more.

Let's start with policy-maps and class-maps. Everywhere I have read says class-maps define traffic and policy-maps do something with it. So, I understand that with 'class-map type inspect' the packet will be "inspected" at L7 for characteristics of that particular protocol.

I.E.

class-map type inspect http match-any test-inspect-http-cmap

match request method get

match request method post

This would match any packets that have GET or POST in the L7 data per the HTTP standard.

Where I'm confused is what exactly 'policy-map type inspect http test-inspect-http-pmap' does. I'm guessing it would "inspect" L7. But what is it inspecting it for? That's the job of the class-map. Or is it? I see the option to "match" when I'm in the policy-map configuration and I can do things like:

policy-map type inspect http test-inspect-http-pmap

match request method get

match request method post

So, would the following two configurations accomplish the same thing?

1.

policy-map type inspect http test-inspect-http-pmap

parameters

protocol-violation action drop-connection log

match request method get

match request method post

2.

class-map type inspect http match-any test-inspect-http-cmap

match request method get

match request method post

!

!

policy-map type inspect http test-inspect-http-pmap

parameters

class test-inspect-http-cmap

drop-connection log

TIA.

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 7 years 1 month ago

- So, it looks like the only significance of a class-map is to keep things in the modular structure that Cisco is working towards. Otherwise, I can do everything I need to do without class-maps in the way of inspection. Is that the case?

You can do everything that the systac allows you to do, correct.

- It kind of solidifies what I'm saying by looking at esmtp. There isn't even an inspect class-map for esmtp but there is an inspect policy-map?!? Furthermore, in the policy-map I can "match" based on protocol specifics. Why isn't there an inspect class-map for esmtp? It doesn't make much sense to me for all the documentation to say "class-maps define the traffic and policy-maps do something with the defined traffic" and in the case of esmtp not even have a class-map to define the traffic but be able to define the traffic in the policy-map.

ESMTP inspection is protocol inspection and proxying for ESMTP. It is not L7 matching on protocol fields and taking actions. If you look up what esmpt inspection does it will be more clear http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782 .

- From this I see the class-map "inspection_default" looks at L3/L4 headers to identify the traffic for ftp. Then it's applied to a policy-map. But I don't see anywhere that tells me what the action is that's applied to the ftp traffic in the policy-map. Where is the documentation for that?

The L3/4 inspection are protocol specific. They are not like L7 that you can match on specific things. For example ftp inspection opens up pinholes for the return traffic in case of active ftp. You can look here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1383691 and here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738

I hope it makes sense.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Thu, 10/29/2009 - 09:59

You are very close. 1 will achieve the same with 2 if it is like

policy-map type inspect http test-inspect-http-pmap

parameters

match request method get

match request method post

drop-connection log

More oe less it is like you define the class-map in the police-map on the fly.

I hope it helps.

PK

snickered Thu, 10/29/2009 - 16:19

I didn't know you could do that. I think what you meant to say was:

policy-map type inspect http test-inspect-http-pmap

parameters

match request method get

drop-connection log

match request method post

drop-connection log

So, it looks like the only significance of a class-map is to keep things in the modular structure that Cisco is working towards. Otherwise, I can do everything I need to do without class-maps in the way of inspection. Is that the case?

It kind of solidifies what I'm saying by looking at esmtp. There isn't even an inspect class-map for esmtp but there is an inspect policy-map?!? Furthermore, in the policy-map I can "match" based on protocol specifics. Why isn't there an inspect class-map for esmtp? It doesn't make much sense to me for all the documentation to say "class-maps define the traffic and policy-maps do something with the defined traffic" and in the case of esmtp not even have a class-map to define the traffic but be able to define the traffic in the policy-map.

This leads me to another question. What action do the default inspects do?

I.E.

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

From this I see the class-map "inspection_default" looks at L3/L4 headers to identify the traffic for ftp. Then it's applied to a policy-map. But I don't see anywhere that tells me what the action is that's applied to the ftp traffic in the policy-map. Where is the documentation for that?

Correct Answer
Panos Kampanakis Fri, 10/30/2009 - 13:59

- So, it looks like the only significance of a class-map is to keep things in the modular structure that Cisco is working towards. Otherwise, I can do everything I need to do without class-maps in the way of inspection. Is that the case?

You can do everything that the systac allows you to do, correct.

- It kind of solidifies what I'm saying by looking at esmtp. There isn't even an inspect class-map for esmtp but there is an inspect policy-map?!? Furthermore, in the policy-map I can "match" based on protocol specifics. Why isn't there an inspect class-map for esmtp? It doesn't make much sense to me for all the documentation to say "class-maps define the traffic and policy-maps do something with the defined traffic" and in the case of esmtp not even have a class-map to define the traffic but be able to define the traffic in the policy-map.

ESMTP inspection is protocol inspection and proxying for ESMTP. It is not L7 matching on protocol fields and taking actions. If you look up what esmpt inspection does it will be more clear http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782 .

- From this I see the class-map "inspection_default" looks at L3/L4 headers to identify the traffic for ftp. Then it's applied to a policy-map. But I don't see anywhere that tells me what the action is that's applied to the ftp traffic in the policy-map. Where is the documentation for that?

The L3/4 inspection are protocol specific. They are not like L7 that you can match on specific things. For example ftp inspection opens up pinholes for the return traffic in case of active ftp. You can look here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1383691 and here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738

I hope it makes sense.

PK

snickered Fri, 10/30/2009 - 15:21

Thanks for your reply. It is starting to make sense now. I was stuck on class-maps identifying traffic and policy-maps applying an action.

Actions

This Discussion