Configuring Application Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 25 Configuring Application Layer Protocol Inspection
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

Configuring Application Inspection

This feature uses Modular Policy Framework, so that implementing application inspection consists of
identifying traffic, applying inspections to the traffic, and activating inspections on an interface. For
some applications, you can perform special actions when you enable inspection. See
Modular Policy Framework,"
Inspection is enabled by default for some applications. See the
more information. Use this section to modify your inspection policy.
To configure application inspection, perform the following steps:
Step 1 To identify the traffic to which you want to apply inspections, add either a Layer 3/4 class map for
through traffic or a Layer 3/4 class map for management traffic. See the
for Through Traffic" section on page 21-3
Traffic" section on page 21-5
only with the RADIUS accounting inspection.
The default Layer 3/4 class map for through traffic is called "inspection_default." It matches traffic using
a special match command, match default-inspection-traffic, to match the default ports for each
application protocol.
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic to specific IP addresses. Because the match
default-inspection-traffic command specifies the ports to match, any ports in the access list are
ignored.
If you want to match non-standard ports, then create a new class map for the non-standard ports. See the
"Default Inspection Policy" section on page 25-3
can combine multiple class maps in the same policy if desired, so you can create one class map to match
certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class. To enable SNMP inspection, enable SNMP inspection for the default class in
another class that matches SNMP.
For example, to limit inspection to traffic from 10.1.1.0 to 192.168.1.0 using the default class map, enter
the following commands:
hostname(config)# access-list inspect extended permit ip 10.1.1.0 255.255.255.0
192.168.1.0 255.255.255.0
hostname(config)# class-map inspection_default
hostname(config-cmap)# match access-list inspect
View the entire class map using the following command:
hostname(config-cmap)# show running-config class-map inspection_default
!
class-map inspection_default
match default-inspection-traffic
OL-10088-01
for more information.
and "Creating a Layer 3/4 Class Map for Management
for detailed information. The management Layer 3/4 class map can be used
for the standard ports for each inspection engine. You
Cisco Security Appliance Command Line Configuration Guide
Configuring Application Inspection
Chapter 21, "Using
"Default Inspection Policy"
"Creating a Layer 3/4 Class Map
Step 5. Do not add
section for
25-5