12-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 12 Getting Started with Application Layer Protocol Inspection
Application Layer Protocol Inspection
Other applications embed an IP address in the packet that needs to match the source address that is
normally translated when it goes through the ASA.
If you use applications like these, then you need to enable application inspection.
When you enable application inspection for a service that embeds IP addresses, the ASA translates
embedded addresses and updates any checksum or other fields that are affected by the translation.
When you enable application inspection for a service that uses dynamically assigned ports, the ASA
monitors sessions to identify the dynamic port assignments, and permits data exchange on these ports
for the duration of the specific session.
Inspection Policy Maps
You can configure special actions for many application inspections using an
inspection policy map
.
These maps are optional: you can enable inspection for a protocol that supports inspection policy maps
without configuring a map. These maps are needed only if you want something other than the default
inspection actions.
See
Configure Application Layer Protocol Inspection, page 12-9
for a list of applications that support
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•
Traffic matching criteria—You match application traffic to criteria specific to the application, such
as a URL string, for which you then enable actions.
For some traffic matching criteria, you use regular expressions to match text inside a packet. Be sure
to create and test the regular expressions before you configure the policy map, either singly or
grouped together in a regular expression class map.
•
Inspection class map—Some inspection policy maps let you use an inspection class map to include
multiple traffic matching criteria. You then identify the inspection class map in the inspection policy
map and enable actions for the class as a whole. The difference between creating a class map and
defining the traffic match directly in the inspection policy map is that you can create more complex
match criteria and you can reuse class maps. However, you cannot set different actions for different
matches.
•
Parameters—Parameters affect the behavior of the inspection engine.
The following topics provide more details:
•
Replacing an In-Use Inspection Policy Map, page 12-3
•
How Multiple Traffic Classes are Handled, page 12-4
Replacing an In-Use Inspection Policy Map
If you need to replace an inspection policy map that you are already using in a service policy, use the
following methods:
•
All inspection policy maps—If you want to exchange an in-use inspection policy map for a different
map name, you must remove the
inspect
protocol map
command, and add it back with the new map.
For example:
hostname(config)#
policy-map test
hostname(config-pmap)#
class sip
hostname(config-pmap-c)#
no
inspect sip sip-map1
hostname(config-pmap-c)#
inspect sip sip-map2
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......