Cisco FirePOWER ASA 5500 series

To Next Page

To Previous Page

25-6

Cisco Security Appliance Command Line Configuration Guide

OL-10088-01

Chapter 25 Configuring Application Layer Protocol Inspection

Configuring Application Inspection

match access-list inspect

To inspect FTP traffic on port 21 as well as 1056 (a non-standard port), create an access list that specifies

the ports, and assign it to a new class map:

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 21

hostname(config)# access-list ftp_inspect extended permit tcp any any eq 1056

hostname(config)# class-map new_inspection

hostname(config-cmap)# match access-list ftp_inspect

Step 2 (Optional) Some inspection engines let you control additional parameters when you apply the inspection

to the traffic. See the following sections to configure an inspection policy map for your application:

• DCERPC—See the “Configuring a DCERPC Inspection Policy Map for Additional Inspection

Control” section on page 25-12

• DNS—See the “Configuring a DNS Inspection Policy Map for Additional Inspection Control”

section on page 25-20

• ESMTP—See the “Configuring an ESMTP Inspection Policy Map for Additional Inspection

Control” section on page 25-24

• FTP—See the “Configuring an FTP Inspection Policy Map for Additional Inspection Control”

section on page 25-27.

• GTP—See the “Configuring a GTP Inspection Policy Map for Additional Inspection Control”

section on page 25-32.

• H323—See the “Configuring an H.323 Inspection Policy Map for Additional Inspection Control”

section on page 25-38

• HTTP—See the “Configuring an HTTP Inspection Policy Map for Additional Inspection Control”

section on page 25-44.

• Instant Messaging—See the “Configuring an Instant Messaging Inspection Policy Map for

Additional Inspection Control” section on page 25-48

• MGCP—See the “Configuring an MGCP Inspection Policy Map for Additional Inspection Control”

section on page 25-54.

• NetBIOS—See the “Configuring a NetBIOS Inspection Policy Map for Additional Inspection

Control” section on page 25-57

• RADIUS Accounting—See the “Configuring a RADIUS Inspection Policy Map for Additional

Inspection Control” section on page 25-59

• SIP—See the “Configuring a SIP Inspection Policy Map for Additional Inspection Control” section

on page 25-63

• Skinny—See the “Configuring a Skinny (SCCP) Inspection Policy Map for Additional Inspection

Control” section on page 25-69

• SNMP—See the “SNMP Inspection” section on page 25-72.

Step 3 To add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic, enter the

following command:

hostname(config)# policy-map name

hostname(config-pmap)#

The default policy map is called “global_policy.” This policy map includes the default inspections listed

in the “Default Inspection Policy” section on page 25-3. If you want to modify the default policy (for

example, to add or delete an inspection, or to identify an additional class map for your actions), then

enter global_policy as the name.

Main Page

Cisco FirePOWER ASA 5500 series

Table of Contents

Related product manuals