Inspecting and Policing OSI Layers 3-4 (Configuration)


This post builds up on the previous one. In this post we’ll be seeing how to create basic Policies for Inspecting/Policing traffic at the OSI Layers 3-4.

Scenario: Traffic from internal hosts destined to the internet needs to be capped at 5mb. They have a web server which is hosted at a different location reachable via the internet. Allow the internal users to be able to ping the web server for testing purposes.

Note: The required ACLs and NAT statements are already in place.

1. Define a Layer 3-4 class-map

First, we need to create ACLs that will be matching the type of traffic on which the policies will be applied. These are NOT interface ACLs, they are only created to match certain type of traffic and refer it in the class-map. (You have to separately define interface ACLs to permit the traffic through the ASA)

ciscoasa(config)# access-list icmp_inspect extended permit icmp 10.1.1.0 255.255.255.0 host 1.1.1.1 log
ciscoasa(config)# access-list ratelimit_inside extended permit ip 10.1.1.0 255.255.255.0 any log

Now define the Layer 3-4 class map by referencing the above ACLs in it. Here we are defining two class-maps. One will be for inspecting ICMP and the other for limiting the bandwidth utilization of the internal hosts.

ciscoasa(config)# class-map ratelimit_class
ciscoasa(config-cmap)# match access-list ratelimit_inside
ciscoasa(config-cmap)# class-map icmp_class
ciscoasa(config-cmap)# match access-list icmp_inspect

2. Define a Layer 3-4 policy-map

Once the class-maps are defined, use policy-maps to define the action to be taken when matching a particular class-map. You can add as many class-maps as you want in a single policy-map but every class-map that you add has to have a specific action assigned to it.

ciscoasa(config)# policy-map company_policy
ciscoasa(config-pmap)# class icmp_class
ciscoasa(config-pmap-c)# inspect icmp

ciscoasa(config)# policy-map company_policy
ciscoasa(config-pmap)# class ratelimit_class
ciscoasa(config-pmap-c)# police input 41943000 4194304
ciscoasa(config-pmap-c)# police output 41943000 4194304

Did you notice how the prompt changes when you add each command? When you create a policy-map it enters the config-pmap prompt, then when you refer a class-map it goes into the config-pmap-c prompt wherein you define an action for the traffic matching that class.

3. Apply the policy-map to the appropriate interfaces

Since we are only concerned with the internal hosts on the inside interface we will apply the policy-map we created to the inside interface only.

ciscoasa(config)# service-policy company_policy interface inside

Verification:

InternalHost#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/27/44 ms


ciscoasa(config)# show service-policy inter inside
Interface inside:
 Service-policy: company_policy
 Class-map: icmp_class
 Inspect: icmp, packet 20, drop 0, reset-drop 0
 Class-map: ratelimit_class
 Input police Interface inside:
 cir 49143000 bps, bc 4194304 bytes
 conformed 5 packets, 570 bytes; actions: transmit
 exceeded 0 packets, 0 bytes; actions: drop
 conformed 0 bps, exceed 0 bps
 Output police Interface inside:
 cir 49143000 bps, bc 4194304 bytes
 conformed 15 packets, 1710 bytes; actions: transmit
 exceeded 0 packets, 0 bytes; actions: drop
 conformed 0 bps, exceed 0 bps

With the packet counts showing some numbers, you can be assured that the traffic is being matched and the class-maps and policy-maps are working as desired. :-)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s