Cisco ASA Series

To Next Page

To Previous Page

1-8

Cisco ASA Series CLI Configuration Guide

Chapter 1 Getting Started with Application Layer Protocol Inspection

Configuring Application Layer Protocol Inspection

class-map inspection_default

match default-inspection-traffic

match access-list inspect

To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies

the ports, and assign it to a new class map:

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056

hostname(config)# class-map new_inspection

hostname(config-cmap)# match access-list ftp_inspect

Step 2 (Optional) Some inspection engines let you control additional parameters when you apply the inspection

to the traffic. See the following sections to configure an inspection policy map for your application:

• DCERPC—See the “Configuring a DCERPC Inspection Policy Map for Additional Inspection

Control” section on page 1-2

• DNS—See the “(Optional) Configuring a DNS Inspection Policy Map and Class Map” section on

page 1-3

• ESMTP—See the “Configuring an ESMTP Inspection Policy Map for Additional Inspection

Control” section on page 1-33

• FTP—See the “Configuring an FTP Inspection Policy Map for Additional Inspection Control”

section on page 1-12.

• GTP—See the “Configuring a GTP Inspection Policy Map for Additional Inspection Control”

section on page 1-4.

• H323—See the “Configuring an H.323 Inspection Policy Map for Additional Inspection Control”

section on page 1-6

• HTTP—See the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control”

section on page 1-16.

• Instant Messaging—See the “Configuring an Instant Messaging Inspection Policy Map for

Additional Inspection Control” section on page 1-21

• IP Options—See the “Configuring an IP Options Inspection Policy Map for Additional Inspection

Control” section on page 1-25

• IPsec Pass Through—See the “IPsec Pass Through Inspection” section on page 11-64

• IPv6—See the “(Optional) Configuring an IPv6 Inspection Policy Map” section on page 11-68

• MGCP—See the “Configuring an MGCP Inspection Policy Map for Additional Inspection Control”

section on page 1-13.

• NetBIOS—See the “Configuring a NetBIOS Inspection Policy Map for Additional Inspection

Control” section on page 1-30

• RADIUS Accounting—See the “Configuring a RADIUS Inspection Policy Map for Additional

Inspection Control” section on page 1-9

• RTSP—See the “Configuring an RTSP Inspection Policy Map for Additional Inspection Control”

section on page 1-16

• ScanSafe (Cloud Web Security)—See the “Configuring a Service Policy to Send Traffic to Cloud

Web Security” section on page 25-11

• SIP—See the “Configuring a SIP Inspection Policy Map for Additional Inspection Control” section

on page 1-20

Main Page

Table of Contents

Other manuals for Cisco ASA Series

Related product manuals