1-9
Cisco ASA Series CLI Configuration Guide
Chapter 1 Getting Started with Application Layer Protocol Inspection
Configuring Application Layer Protocol Inspection
• Skinny—See the “Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection
Control” section on page 1-26
• SNMP—See the “Configuring an SNMP Inspection Policy Map for Additional Inspection Control”
section on page 1-10.
Step 3 To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the
following command:
hostname(config)# policy-map name
hostname(config-pmap)#
The default policy map is called “global_policy.” This policy map includes the default inspections listed
in the “Default Settings” section on page 1-4. If you want to modify the default policy (for example, to
add or delete an inspection, or to identify an additional class map for your actions), then enter
global_policy as the name.
Step 4 To identify the class map from Step 1 to which you want to assign an action, enter the following
command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
If you are editing the default policy map, it includes the inspection_default class map. You can edit the
actions for this class by entering inspection_default as the name. To add an additional class map to this
policy map, identify a different name. You can combine multiple class maps in the same policy if desired,
so you can create one class map to match certain traffic, and another to match different traffic. However,
if traffic matches a class map that contains an inspection command, and then matches another class map
that also has an inspection command, only the first matching class is used. For example, SNMP matches
the inspection_default class map.To enable SNMP inspection, enable SNMP inspection for the default
class in Step 5. Do not add another class that matches SNMP.
Step 5 Enable application inspection by entering the following command:
hostname(config-pmap-c)# inspect protocol
The protocol is one of the following values:
Table 1-2 Protocol Keywords
Keywords Notes
ctiqbe —
dcerpc [map_name] If you added a DCERPC inspection policy map according to
“Configuring a DCERPC Inspection Policy Map for
Additional Inspection Control” section on page 1-2, identify
the map name in this command.
dns [map_name]
[dynamic-filter-snoop]
If you added a DNS inspection policy map according to
“(Optional) Configuring a DNS Inspection Policy Map and
Class Map” section on page 1-3, identify the map name in
this command. The default DNS inspection policy map
name is “preset_dns_map.” The default inspection policy
map sets the maximum DNS packet length to 512 bytes.
To enable DNS snooping for the Botnet Traffic Filter, enter
the dynamic-filter-snoop keyword. See the “Enabling DNS
Snooping” section on page 1-10 for more information.
To Next Page
Loading...
Need help?
General
