ESMTP Advanced Inspection (CCIE Notes)

Configuring advanced ESMTP inspection;

regex gmail_reg "@gmail\.com"
regex bob_reg "bob@yahoo\.com"
!
class-map type regex match-any mail_class
 match regex bob_reg
 match regex gmail_reg
 !
policy-map type inspect esmtp esmtp_policy
 parameters
 match body length gt 20000 // characters
  drop-connection log
 match cmd verb EHLO
  rate-limit 50 // msgs per second
 match cmd line length gt 400 // bytes
  reset
 match cmd RCPT count gt 8 // recipients per transaction
  drop-connection
 match sender-address regex class mail_class // email address
  drop-connection log
 !
 policy-map global_policy
  class inspection_default
   inspect esmtp esmtp_policy

Note: Unlike other protocol inspection (FTP, HTTP), you cannot create a L7 class-map for ESMTP. All the inspection options that you would like to configure can be configured under the L7 policy-map. Multiple match commands can be used under a policy-map. However you can still use a L7 class-map type regex and reference it under the L7 policy-map for ESMTP.

Continue reading

Instant Messaging Inspection (CCIE Notes)

Configuration for IM inspection:-

class-map type inspect im match-all imservices_class
 match service conference file-transfer games webcam 
 match protocol msn-im yahoo-im
 match ip-address 10.1.1.0 255.255.255.0
!
policy-map type inspect im imservices_policy
 parameters
 class imservices_class
 reset log
!
policy-map global_policy
 class inspection_default
 inspect im imservices_policy
Note: Multiple L7 class-maps can be configured and referenced under a single L7 policy-map.

Verification;

ASA-FW# show service-policy inspect im 
Global policy: 
 Service-policy: global_policy
 Class-map: inspection_default
 Inspect: im imservices_policy, packet 0, drop 0, reset-drop 0
 tcp-proxy: bytes in buffer 0, bytes dropped 0
 class imservices_class
 reset log, packet 0

Matches that can be made for an IM application (yahoo or msn) under a L7 Continue reading

Advanced HTTP Inspection (CCIE Notes)

Configuring HTTP inspection:-

1. Create a L7 class-map with the type (inspect or regex) depending on your requirement.

regex reg_google "www\.google\.com"
!
class-map type regex match-any regex_class
 match regex reg_google
class-map type inspect http match-any http_class
 match request method get
 match request header host regex class regex_class

Note: If you have multiple matches to be performed you can use different types of class-maps and those can then be referred in a L7 policy-map. If you have a single match to be made then that can directly be done under a L7 policy-map like below;

policy-map type inspect http http_policy_single_match
 parameters
 match request method get
  drop-connection log

2. Create a L7 policy-map for HTTP, refer the previously configured inspect class-map within this policy-map and assign the required type of action;

policy-map type inspect http http_policy1
 parameters
  spoof-server "NETWORKOLOGY"
  protocol-violation action drop-connection
 class http_class
  drop-connection log

3. Create a L3/L4 class-map which matches the traffic you want to inspect. Or you could also use the inspection_default class as that matches HTTP port 80.

class-map http_class_l3l4
 match port tcp eq www

4. Create L3/L4 policy-map, refer the L3/L4 class-map and L7 policy-map underneath it Apply it to the source interface; Continue reading

Advanced FTP Inspection – Part 2 | Using REGEX values (CCIE Notes)

This is part 2 of the previous Advanced FTP inspection post. Here we’ll see how to configure advanced inspection for FTP to allow a certain user to access a particular directory on an FTP server using REGEX.

The requirement is to allow only the username ‘admin’ from Inside to access a directory named ‘confidential’ and a file named ‘accounts’ on an FTP server hosted in your DMZ.

1. Create an ACL that matches your traffic flow;

access-list ftp_traffic_acl permit tcp any host 10.1.1.20 eq 21

2. Create a L3/L4 class-map to match the traffic flow;

class-map ftp_traffic_class
 match access-list ftp_traffic_acl

3. Create the REGEX values for the username and directory;

regex ftp_user "admin"
regex ftp_dir "\/confidential"

4. Create a L5/L7 class-map to match-all the values under it. The following class-map matches the directory AND any other username except admin.

class-map type inspect ftp match-all ftp_access_class
 match filename regex ftp_dir
 match not username regex ftp_user

5. Create a L5/L7 policy-map and call the L5/L7 class-map underneath it as a matching criteria. In combination with the above L5/L7 class-map this gives us exactly what we wanted. If any user except for ‘admin’, tries to Continue reading

Advanced FTP inspection – Part 1 (CCIE Notes)

Below are the steps to configure a Layer 7 inspection policy using MPF in Cisco ASA 8.4. Actually, it’s pretty much the same for all versions any way.

1. Create an ACL that matches the L3/L4 parameters of your traffic flow. This ACL will be used under a L3/L4 class-map.

access-list ftp_acl extended permit tcp any host 10.1.1.20 eq ftp log 

Note: FTP access should also be permitted on the outside interface with a Static NAT

2. Create a L5-L7 policy-map. This policy-map defines the additional inspection parameters for a particular feature other than the default inspection parameters. In our example, FTP is the feature whose inspection parameters will be defined.

When an FTP client sends a command which matches any of the matched commands under ftp_policy, the connection will be reset.

policy-map type inspect ftp ftp_policy
 parameters
 match request-command appe put dele rmd 
  reset

3. Create the Layer 3/4 class-map. This class-map applies the inspection only to the defined traffic flow in the ACL that is matched under this class map.

class-map ftp_class
 match access-list ftp_acl

4. Create the policy-map which takes the inspection action against the defined L3/L4 class-map Continue reading