Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 291

    Page 291 11-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection load on the ASA. For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface. See the “Enabling DNS Snooping” section on page 26-9. Step 8Click OK to return to the Protocol Inspections tab. Step 9Click OK to finish editing the service policy. Step 10Click Apply. FTP... 
     
11-17
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
load on the ASA. For example, if the DNS server is on the outside interface, you should enable DNS 
inspection with snooping for all UDP DNS traffic on the outside interface. See the “Enabling DNS 
Snooping” section on page 26-9.
Step 8Click OK to return to the Protocol Inspections tab.
Step 9Click OK to finish editing the service policy.
Step 10Click Apply.
FTP...

    Page 292

    Page 292 11-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection An FTP command must be acknowledged before the ASA allows a new command. The ASA drops connections that send embedded commands. The 227 and PORT commands are checked to ensure they do not appear in an error string. CautionUsing the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs. If the strict option is enabled,... 
     
11-18
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
An FTP command must be acknowledged before the ASA allows a new command.
The ASA drops connections that send embedded commands.
The 227 and PORT commands are checked to ensure they do not appear in an error string.
CautionUsing the strict option may cause the failure of FTP clients that are not strictly compliant with FTP 
RFCs.
If the strict option is enabled,...

    Page 293

    Page 293 11-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Fields FTP Strict (prevent web browsers from sending embedded commands in FTP requests)—Enables strict FTP application inspection, which causes the ASA to drop the connection when an embedded command is included in an FTP request. Use the default FTP inspection map—Specifies to use the default FTP map. Select an FTP map for fine control over inspection—Lets... 
     
11-19
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
Fields
FTP Strict (prevent web browsers from sending embedded commands in FTP requests)—Enables 
strict FTP application inspection, which causes the ASA to drop the connection when an embedded 
command is included in an FTP request. 
Use the default FTP inspection map—Specifies to use the default FTP map.
Select an FTP map for fine control over inspection—Lets...

    Page 294

    Page 294 11-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Delete—Deletes an FTP class map. Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion dialog box is accessible as follows: Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > Add/Edit FTP Match Criterion The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.... 
     
11-20
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
Delete—Deletes an FTP class map.
Add/Edit FTP Match Criterion
The Add/Edit FTP Match Criterion dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > 
Add/Edit FTP Match Criterion
The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP 
class map....

    Page 295

    Page 295 11-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection –Regular Expression Class—Lists the defined regular expression classes to match. –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. File Type Criterion Values—Specifies to match on the FTP transfer file type. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the... 
     
11-21
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
–Regular Expression Class—Lists the defined regular expression classes to match.
–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
regular expression class maps.
File Type Criterion Values—Specifies to match on the FTP transfer file type.
–Regular Expression—Lists the defined regular expressions to match.
–Manage—Opens the...

    Page 296

    Page 296 11-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Delete—Deletes the inspect map selected in the FTP Inspect Maps table. Security Level—Select the security level (medium or low). –Low Mask Banner Disabled Mask Reply Disabled –Medium—Default. Mask Banner Enabled Mask Reply Enabled –File Type Filtering—Opens the Type Filtering dialog box to configure file type filters. –Customize—Opens the Add/Edit FTP Policy Map... 
     
11-22
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
Delete—Deletes the inspect map selected in the FTP Inspect Maps table.
Security Level—Select the security level (medium or low).
–Low
Mask Banner Disabled
Mask Reply Disabled
–Medium—Default.
Mask Banner Enabled
Mask Reply Enabled
–File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.
–Customize—Opens the Add/Edit FTP Policy Map...

    Page 297

    Page 297 11-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Description—Enter the description of the FTP map, up to 200 characters in length. Security Level—Select the security level (medium or low). –Low Mask Banner Disabled Mask Reply Disabled –Medium—Default. Mask Banner Enabled Mask Reply Enabled –File Type Filtering—Opens the Type Filtering dialog box to configure file type filters. –Default Level—Sets the security... 
     
11-23
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
Description—Enter the description of the FTP map, up to 200 characters in length.
Security Level—Select the security level (medium or low).
–Low
Mask Banner Disabled
Mask Reply Disabled
–Medium—Default.
Mask Banner Enabled
Mask Reply Enabled
–File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.
–Default Level—Sets the security...

    Page 298

    Page 298 11-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection Add/Edit FTP Map The Add/Edit FTP Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View > Add/Edit FTP Inspect The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect map. Fields Single Match—Specifies that the FTP inspect has only one match... 
     
11-24
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
Add/Edit FTP Map
The Add/Edit FTP Map dialog box is accessible as follows:
Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Advanced View  > 
Add/Edit FTP Inspect
The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect 
map.
Fields
Single Match—Specifies that the FTP inspect has only one match...

    Page 299

    Page 299 11-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols FTP Inspection –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. File Type Criterion Values—Specifies the value details for FTP file type match. –Regular Expression—Lists the defined regular expressions to match. –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular... 
     
11-25
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  FTP Inspection
–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
regular expression class maps.
File Type Criterion Values—Specifies the value details for FTP file type match.
–Regular Expression—Lists the defined regular expressions to match.
–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular...

    Page 300

    Page 300 11-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. HTTP Inspection This section describes the HTTP inspection engine. This section includes the following topics: HTTP Inspection Overview, page 11-26 Select HTTP Map, page 11-26 HTTP Class Map, page 11-27... 
     
11-26
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  HTTP Inspection
In conjunction with NAT, the FTP application inspection translates the IP address within the application 
payload. This is described in detail in RFC 959.
HTTP Inspection
This section describes the HTTP inspection engine. This section includes the following topics:
HTTP Inspection Overview, page 11-26
Select HTTP Map, page 11-26
HTTP Class Map, page 11-27...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals