Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
10-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations ICMP ERROR — — —— ILS (LDAP) TCP/389 No extended PAT. No NAT64.—— Instant Messaging (IM)Varies by clientNo extended PAT. No NAT64.RFC 3860 — IP Options— No NAT64. RFC 791, RFC 2113— IPsec Pass ThroughUDP/500 No PAT. No NAT64.—— IPv6 — No NAT64. RFC 2460 — MGCP UDP/2427, 2727No extended PAT. No NAT64. (Clustering) No static PAT.RFC 2705bis-05 — MMP TCP 5443 No extended PAT. No NAT64.—— NetBIOS Name Server over IPUDP/137, 138 (Source ports)No extended PAT. No NAT64.— NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138. PPTP TCP/1723 No NAT64. (Clustering) No static PAT.RFC 2637 — RADIUS Accounting1646 No NAT64. RFC 2865 — RSHTCP/514 No PAT. No NAT64. (Clustering) No static PAT.Berkeley UNIX — RTSP TCP/554 No extended PAT. No outside NAT. No NAT64. (Clustering) No static PAT.RFC 2326, 2327, 1889No handling for HTTP cloaking. ScanSafe (Cloud Web Security)TCP/80 TCP/413— — These ports are not included in the default-inspection-traffic class for the ScanSafe inspection. Table 10-1 Supported Application Inspection Engines (continued) Application1Default Port NAT Limitations Standards2Comments
10-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Default Settings and NAT Limitations SIPTCP/5060 UDP/5060No outside NAT. No NAT on same security interfaces. No extended PAT. No per-session PAT. No NAT64. (Clustering) No static PAT.RFC 2543 — SKINNY (SCCP)TCP/2000 No outside NAT. No NAT on same security interfaces. No extended PAT. No per-session PAT. No NAT64. (Clustering) No static PAT.— Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances. SMTP and ESMTPTCP/25 No NAT64. RFC 821, 1123 — SNMP UDP/161, 162No NAT or PAT. RFC 1155, 1157, 1212, 1213, 1215v.2 RFC 1902-1908; v.3 RFC 2570-2580. SQL*NetTCP/1521 No extended PAT. No NAT64. (Clustering) No static PAT.— v.1 and v.2. Sun RPC over UDP and TCPUDP/111 No extended PAT. No NAT64.— The default rule includes UDP port 111; if you want to enable Sun RPC inspection for TCP port 111, you need to create a new rule that matches TCP port 111 and performs Sun RPC inspection. TFTPUDP/69 No NAT64. (Clustering) No static PAT.RFC 1350 Payload IP addresses are not translated. WAAS — No extended PAT. No NAT64.—— XDCMPUDP/177 No extended PAT. No NAT64. (Clustering) No static PAT.—— 1. Inspection engines that are enabled by default for the default port are in bold. 2. The ASA is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the ASA does not enforce the order. Table 10-1 Supported Application Inspection Engines (continued) Application1Default Port NAT Limitations Standards2Comments
10-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection This feature uses Security Policy Rules to create a service policy. Service policies provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. See Chapter 1, “Configuring a Service Policy,” for more information. Inspection is enabled by default for some applications. See the “Default Settings and NAT Limitations” section for more information. Use this section to modify your inspection policy. Detailed Steps Step 1Choose Configuration > Firewall > Service Policy Rules. Step 2Add or edit a service policy rule according to the “Adding a Service Policy Rule for Through Traffic” section on page 1-8. If you want to match non-standard ports, then create a new rule for the non-standard ports. See the “Default Settings and NAT Limitations” section on page 10-4 for the standard ports for each inspection engine. You can combine multiple rules in the same service policy if desired, so you can create one rule to match certain traffic, and another to match different traffic. However, if traffic matches a rule that contains an inspection action, and then matches another rule that also has an inspection action, only the first matching rule is used. Step 3In the Edit Service Policy Rule > Rule Actions dialog box, click the Protocol Inspection tab. For a new rule, the dialog box is called Add Service Policy Rule Wizard - Rule Actions. Step 4Select each inspection type that you want to apply. Step 5(Optional) Some inspection engines let you control additional parameters when you apply the inspection to the traffic. Click Configure for each inspection type to configure an inspect map. You can either choose an existing map, or create a new one. You can predefine inspect maps in the Configuration > Firewall > Objects > Inspect Maps pane. Step 6You can configure other features for this rule if desired using the other Rule Actions tabs. Step 7Click OK (or Finish from the wizard).
10-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 10 Getting Started with Application Layer Protocol Inspection Configuring Application Layer Protocol Inspection
CH A P T E R 11-1 Cisco ASA Series Firewall ASDM Configuration Guide 11 Configuring Inspection of Basic Internet Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput. Several common inspection engines are enabled on the ASA by default, but you might need to enable others depending on your network. This chapter includes the following sections: DNS Inspection, page 11-1 FTP Inspection, page 11-17 HTTP Inspection, page 11-26 ICMP Inspection, page 11-39 ICMP Error Inspection, page 11-39 Instant Messaging Inspection, page 11-39 IP Options Inspection, page 11-41 IPsec Pass Through Inspection, page 11-45 IPv6 Inspection, page 11-48 NetBIOS Inspection, page 11-50 PPTP Inspection, page 11-51 SMTP and Extended SMTP Inspection, page 11-52 TFTP Inspection, page 11-60 DNS Inspection This section describes DNS application inspection. This section includes the following topics: Information About DNS Inspection, page 11-2 Default Settings for DNS Inspection, page 11-2 (Optional) Configuring a DNS Inspection Policy Map and Class Map, page 11-3
11-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Configuring DNS Inspection, page 11-16 Information About DNS Inspection General Information About DNS, page 11-2 DNS Inspection Actions, page 11-2 General Information About DNS A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently. Because the app_id expires independently, a legitimate DNS response can only pass through the ASA within a limited period of time and there is no resource build-up. DNS Inspection Actions DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks: Translate the DNS record based on the NAT configuration. For more information, see the “DNS and NAT” section on page 3-31. Enforce message length, domain-name length, and label length. Verify the integrity of the domain-name referred to by the pointer if compression pointers are encountered in the DNS message. Check to see if a compression pointer loop exists. Inspect packets based on the DNS header, type, class and more. Default Settings for DNS Inspection DNS inspection is enabled by default, using the preset_dns_map inspection class map: The maximum DNS message length is 512 bytes. The maximum client DNS message length is automatically set to match the Resource Record. DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query. Translation of the DNS record based on the NAT configuration is enabled. Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.
11-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection (Optional) Configuring a DNS Inspection Policy Map and Class Map To match DNS packets with certain characteristics and perform special actions, create a DNS inspection policy map. You can also configure a DNS inspection class map to group multiple match criteria for reference within the inspection policy map. You can then apply the inspection policy map when you enable DNS inspection. Prerequisites If you want to match a DNS message domain name list, then create a regular expression using one of the methods below: “Creating a Regular Expression” section on page 20-20 in the general operations configuration guide. “Creating a Regular Expression Class Map” section on page 20-24 in the general operations configuration guide. Detailed Steps Step 1Choose Configuration > Firewall > Objects > Inspect Maps > DNS. The Configure DNS Maps pane appears. Step 2Click Add. The Add IPv6 Inspection Map dialog box appears. Step 3In the Name field, name the inspection policy map. Step 4(Optional) In the Description field, add a description. Step 5Do one of the following:
11-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection To use one of the preset security levels (Low, Medium, or High), drag the Security Level knob, then click OK to add the inspection policy map. You can skip the rest of this procedure. To customize each parameter and/or to configure packet matching inspection, click Details. Detailed Steps—Protocol Conformance Step 1Configure the following Protocol Conformance parameters: Step 2Enable DNS guard function—Enables DNS Guard. The ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query. Step 3Enable NAT re-write function—Translates the DNS record based on the NAT configuration. Step 4Enable protocol enforcement—Enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check. Step 5Randomize the DNS identifier for DNS query—Randomizes the DNS identifier for a DNS query. Step 6Enforce TSIG resource record to be present in DNS message—Requires a TSIG resource record to be present. Actions include: Action: Drop packet or Log—Drop or log a non-conforming packet. Log: Enable or Disable—If you selected Drop packet, you can also enable logging.
11-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Detailed Steps—Filtering Step 1Click the Filtering tab. Step 2Global Settings: Drop packets that exceed specified maximum length (global)—Sets the maximum DNS message length, from 512 to 65535 bytes. Step 3Server Settings: Drop packets that exceed specified maximum length and Drop packets sent to server that exceed length indicated by the RR—Sets the maximum server DNS message length, from 512 to 65535 bytes, or sets the maximum length to the value in the Resource Record. If you enable both settings, the lower value is used. Step 4Client Settings: Drop packets that exceed specified maximum length and Drop packets sent to server that exceed length indicated by the RR—Sets the maximum client DNS message length, from 512 to 65535 bytes, or sets the maximum length to the value in the Resource Record. If you enable both settings, the lower value is used. Detailed Steps—Mismatch Rate Step 1Click the Mismatch Rate tab.
11-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 2Enable logging when DNS ID mismatch rate exceeds specified rate—Enables logging for excessive DNS ID mismatches, where the Mismatch Instance Threshold and Time Interval fields specify the maximum number of mismatch instances per x seconds before a system message log is sent. Detailed Steps—Inspections Step 1Click the Inspections tab.