Configuring advanced ESMTP inspection;
regex gmail_reg "@gmail\.com"
regex bob_reg "bob@yahoo\.com"
class-map type regex match-any mail_class
match regex bob_reg
match regex gmail_reg
policy-map type inspect esmtp esmtp_policy
match body length gt 20000 // characters
match cmd verb EHLO
rate-limit 50 // msgs per second
match cmd line length gt 400 // bytes
match cmd RCPT count gt 8 // recipients per transaction
match sender-address regex class mail_class // email address
inspect esmtp esmtp_policy
Note: Unlike other protocol inspection (FTP, HTTP), you cannot create a L7 class-map for ESMTP. All the inspection options that you would like to configure can be configured under the L7 policy-map. Multiple match commands can be used under a policy-map. However you can still use a L7 class-map type regex and reference it under the L7 policy-map for ESMTP.
Configuration for IM inspection:-
class-map type inspect im match-all imservices_class
match service conference file-transfer games webcam
match protocol msn-im yahoo-im
match ip-address 10.1.1.0 255.255.255.0
policy-map type inspect im imservices_policy
inspect im imservices_policy
Note: Multiple L7 class-maps can be configured and referenced under a single L7 policy-map.
ASA-FW# show service-policy inspect im
Inspect: im imservices_policy, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
reset log, packet 0
Matches that can be made for an IM application (yahoo or msn) under a L7 Continue reading
Configuring HTTP inspection:-
1. Create a L7 class-map with the type (inspect or regex) depending on your requirement.
regex reg_google "www\.google\.com"
class-map type regex match-any regex_class
match regex reg_google
class-map type inspect http match-any http_class
match request method get
match request header host regex class regex_class
Note: If you have multiple matches to be performed you can use different types of class-maps and those can then be referred in a L7 policy-map. If you have a single match to be made then that can directly be done under a L7 policy-map like below;
policy-map type inspect http http_policy_single_match
match request method get
2. Create a L7 policy-map for HTTP, refer the previously configured inspect class-map within this policy-map and assign the required type of action;
policy-map type inspect http http_policy1
protocol-violation action drop-connection
3. Create a L3/L4 class-map which matches the traffic you want to inspect. Or you could also use the inspection_default class as that matches HTTP port 80.
match port tcp eq www
4. Create L3/L4 policy-map, refer the L3/L4 class-map and L7 policy-map underneath it Apply it to the source interface; Continue reading
This is part 2 of the previous Advanced FTP inspection post. Here we’ll see how to configure advanced inspection for FTP to allow a certain user to access a particular directory on an FTP server using REGEX.
The requirement is to allow only the username ‘admin’ from Inside to access a directory named ‘confidential’ and a file named ‘accounts’ on an FTP server hosted in your DMZ.
1. Create an ACL that matches your traffic flow;
access-list ftp_traffic_acl permit tcp any host 10.1.1.20 eq 21
2. Create a L3/L4 class-map to match the traffic flow;
match access-list ftp_traffic_acl
3. Create the REGEX values for the username and directory;
regex ftp_user "admin"
regex ftp_dir "\/confidential"
4. Create a L5/L7 class-map to match-all the values under it. The following class-map matches the directory AND any other username except admin.
class-map type inspect ftp match-all ftp_access_class
match filename regex ftp_dir
match not username regex ftp_user
5. Create a L5/L7 policy-map and call the L5/L7 class-map underneath it as a matching criteria. In combination with the above L5/L7 class-map this gives us exactly what we wanted. If any user except for ‘admin’, tries to Continue reading
Below are the steps to configure a Layer 7 inspection policy using MPF in Cisco ASA 8.4. Actually, it’s pretty much the same for all versions any way.
1. Create an ACL that matches the L3/L4 parameters of your traffic flow. This ACL will be used under a L3/L4 class-map.
access-list ftp_acl extended permit tcp any host 10.1.1.20 eq ftp log
Note: FTP access should also be permitted on the outside interface with a Static NAT
2. Create a L5-L7 policy-map. This policy-map defines the additional inspection parameters for a particular feature other than the default inspection parameters. In our example, FTP is the feature whose inspection parameters will be defined.
When an FTP client sends a command which matches any of the matched commands under ftp_policy, the connection will be reset.
policy-map type inspect ftp ftp_policy
match request-command appe put dele rmd
3. Create the Layer 3/4 class-map. This class-map applies the inspection only to the defined traffic flow in the ACL that is matched under this class map.
match access-list ftp_acl
4. Create the policy-map which takes the inspection action against the defined L3/L4 class-map Continue reading