10-28-2009 07:59 PM - edited 03-11-2019 09:33 AM
I have so many questions about MPF inspect maps I don't know where to start. I'm going to ask a simple question that will probably induce 100 more.
Let's start with policy-maps and class-maps. Everywhere I have read says class-maps define traffic and policy-maps do something with it. So, I understand that with 'class-map type inspect' the packet will be "inspected" at L7 for characteristics of that particular protocol.
I.E.
class-map type inspect http match-any test-inspect-http-cmap
match request method get
match request method post
This would match any packets that have GET or POST in the L7 data per the HTTP standard.
Where I'm confused is what exactly 'policy-map type inspect http test-inspect-http-pmap' does. I'm guessing it would "inspect" L7. But what is it inspecting it for? That's the job of the class-map. Or is it? I see the option to "match" when I'm in the policy-map configuration and I can do things like:
policy-map type inspect http test-inspect-http-pmap
match request method get
match request method post
So, would the following two configurations accomplish the same thing?
1.
policy-map type inspect http test-inspect-http-pmap
parameters
protocol-violation action drop-connection log
match request method get
match request method post
2.
class-map type inspect http match-any test-inspect-http-cmap
match request method get
match request method post
!
!
policy-map type inspect http test-inspect-http-pmap
parameters
class test-inspect-http-cmap
drop-connection log
TIA.
Solved! Go to Solution.
10-30-2009 01:59 PM
- So, it looks like the only significance of a class-map is to keep things in the modular structure that Cisco is working towards. Otherwise, I can do everything I need to do without class-maps in the way of inspection. Is that the case?
You can do everything that the systac allows you to do, correct.
- It kind of solidifies what I'm saying by looking at esmtp. There isn't even an inspect class-map for esmtp but there is an inspect policy-map?!? Furthermore, in the policy-map I can "match" based on protocol specifics. Why isn't there an inspect class-map for esmtp? It doesn't make much sense to me for all the documentation to say "class-maps define the traffic and policy-maps do something with the defined traffic" and in the case of esmtp not even have a class-map to define the traffic but be able to define the traffic in the policy-map.
ESMTP inspection is protocol inspection and proxying for ESMTP. It is not L7 matching on protocol fields and taking actions. If you look up what esmpt inspection does it will be more clear http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782 .
- From this I see the class-map "inspection_default" looks at L3/L4 headers to identify the traffic for ftp. Then it's applied to a policy-map. But I don't see anywhere that tells me what the action is that's applied to the ftp traffic in the policy-map. Where is the documentation for that?
The L3/4 inspection are protocol specific. They are not like L7 that you can match on specific things. For example ftp inspection opens up pinholes for the return traffic in case of active ftp. You can look here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1383691 and here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738
I hope it makes sense.
PK
10-29-2009 09:59 AM
You are very close. 1 will achieve the same with 2 if it is like
policy-map type inspect http test-inspect-http-pmap
parameters
match request method get
match request method post
drop-connection log
More oe less it is like you define the class-map in the police-map on the fly.
I hope it helps.
PK
10-29-2009 04:19 PM
I didn't know you could do that. I think what you meant to say was:
policy-map type inspect http test-inspect-http-pmap
parameters
match request method get
drop-connection log
match request method post
drop-connection log
So, it looks like the only significance of a class-map is to keep things in the modular structure that Cisco is working towards. Otherwise, I can do everything I need to do without class-maps in the way of inspection. Is that the case?
It kind of solidifies what I'm saying by looking at esmtp. There isn't even an inspect class-map for esmtp but there is an inspect policy-map?!? Furthermore, in the policy-map I can "match" based on protocol specifics. Why isn't there an inspect class-map for esmtp? It doesn't make much sense to me for all the documentation to say "class-maps define the traffic and policy-maps do something with the defined traffic" and in the case of esmtp not even have a class-map to define the traffic but be able to define the traffic in the policy-map.
This leads me to another question. What action do the default inspects do?
I.E.
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect ftp
From this I see the class-map "inspection_default" looks at L3/L4 headers to identify the traffic for ftp. Then it's applied to a policy-map. But I don't see anywhere that tells me what the action is that's applied to the ftp traffic in the policy-map. Where is the documentation for that?
10-30-2009 01:59 PM
- So, it looks like the only significance of a class-map is to keep things in the modular structure that Cisco is working towards. Otherwise, I can do everything I need to do without class-maps in the way of inspection. Is that the case?
You can do everything that the systac allows you to do, correct.
- It kind of solidifies what I'm saying by looking at esmtp. There isn't even an inspect class-map for esmtp but there is an inspect policy-map?!? Furthermore, in the policy-map I can "match" based on protocol specifics. Why isn't there an inspect class-map for esmtp? It doesn't make much sense to me for all the documentation to say "class-maps define the traffic and policy-maps do something with the defined traffic" and in the case of esmtp not even have a class-map to define the traffic but be able to define the traffic in the policy-map.
ESMTP inspection is protocol inspection and proxying for ESMTP. It is not L7 matching on protocol fields and taking actions. If you look up what esmpt inspection does it will be more clear http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1478782 .
- From this I see the class-map "inspection_default" looks at L3/L4 headers to identify the traffic for ftp. Then it's applied to a policy-map. But I don't see anywhere that tells me what the action is that's applied to the ftp traffic in the policy-map. Where is the documentation for that?
The L3/4 inspection are protocol specific. They are not like L7 that you can match on specific things. For example ftp inspection opens up pinholes for the return traffic in case of active ftp. You can look here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1383691 and here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1234738
I hope it makes sense.
PK
10-30-2009 03:21 PM
Thanks for your reply. It is starting to make sense now. I was stuck on class-maps identifying traffic and policy-maps applying an action.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: