Configuration for IM inspection:-
class-map type inspect im match-all imservices_class
match service conference file-transfer games webcam
match protocol msn-im yahoo-im
match ip-address 10.1.1.0 255.255.255.0
!
policy-map type inspect im imservices_policy
parameters
class imservices_class
reset log
!
policy-map global_policy
class inspection_default
inspect im imservices_policy
Note: Multiple L7 class-maps can be configured and referenced under a single L7 policy-map.
Verification;
ASA-FW# show service-policy inspect im
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: im imservices_policy, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
class imservices_class
reset log, packet 0
Matches that can be made for an IM application (yahoo or msn) under a L7 class-map or L7 policy-map;
ASA-FW(config-pmap)# match ?
mpf-policy-map mode commands/options:
filename Match filename from IM file transfer service
ip-address Match client IP address for IM application or service
login-name Match client login-name from IM service
not Negate this match result
peer-ip-address Match peer (client/server) IP add for IM application or service
peer-login-name Match client peer login name from IM service
protocol Match an Instant Messenger Protocol
service Match an Instant Messenger Service
version Match version from IM file transfer service