Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
11-37 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe. Regular Expression—Specifies to match on a regular expression. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified. Greater Than Length—Enter a URI length value in bytes. –Request URI—Applies the regular expression match to the URI of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Response Body—Applies the regex match to the body of the response. ActiveX—Specifies to match on ActiveX. Java Applet—Specifies to match on a Java Applet. Regular Expression—Specifies to match on a regular expression. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified. Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against. –Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields. Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
![](/img/blank.gif)
11-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. –Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified. Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against. –Response Header Field—Applies the regular expression match to the header of the response. Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers. Greater Than Count—Enter the maximum number of headers. –Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified. Greater Than Length—Enter a header length value in bytes. –Response Header non-ASCII—Matches non-ASCII characters in the header of the response. –Response Status Line—Applies the regular expression match to the status line. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. Multiple Matches—Specifies multiple matches for the HTTP inspection.
![](/img/blank.gif)
11-39 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols ICMP Inspection –H323 Traffic Class—Specifies the HTTP traffic class match. –Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class Maps. Action—Drop connection, reset, or log. Log—Enable or disable. ICMP Inspection The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through the ASA in an ACL. Without stateful inspection, ICMP can be used to attack your network. The ICMP inspection engine ensures that there is only one response for each request, and that the sequence number is correct. ICMP Error Inspection When this feature is enabled, the ASA creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The ASA overwrites the packet with the translated IP addresses. When disabled, the ASA does not create translation sessions for intermediate nodes that generate ICMP error messages. ICMP error messages generated by the intermediate nodes between the inside host and the ASA reach the outside host without consuming any additional NAT resource. This is undesirable when an outside host uses the traceroute command to trace the hops to the destination on the inside of the ASA. When the ASA does not translate the intermediate hops, all the intermediate hops appear with the mapped destination IP address. The ICMP payload is scanned to retrieve the five-tuple from the original packet. Using the retrieved five-tuple, a lookup is performed to determine the original address of the client. The ICMP error inspection engine makes the following changes to the ICMP packet: In the IP Header, the mapped IP is changed to the real IP (Destination Address) and the IP checksum is modified. In the ICMP Header, the ICMP checksum is modified due to the changes in the ICMP packet. In the Payload, the following changes are made: –Original packet mapped IP is changed to the real IP –Original packet mapped port is changed to the real Port –Original packet IP checksum is recalculated Instant Messaging Inspection This section describes the IM inspection engine. This section includes the following topics: IM Inspection Overview, page 11-40 Select IM Map, page 11-41
![](/img/blank.gif)
11-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols Instant Messaging Inspection IM Inspection Overview The IM inspect engine lets you apply fine grained controls on the IM application to control the network usage and stop leakage of confidential data, propagation of worms, and other threats to the corporate network. Adding a Class Map for IM Inspection Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection. This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service Policy Rule Wizard - Rule Actions dialog box. Step 1Choose Configuration > Firewall > Objects > Class Maps > Instant Messaging (IM). The table displaying the configured class maps for Instant Messaging Inspection appears. Step 2To add a new class map, click Add. The Add Instant Messaging (IM) Traffic Class Map dialog box appears. Step 3Enter a name for the class map. Step 4(Optional) Enter a description for the class map. The description can contain up to 200 characters. Step 5In the Match Option field, click an option for the class map: Match All—Specifies that traffic must match all criteria to match the class map. By default, the Match All option is selected. Match Any—Specifies that the traffic matches the class map if it matches at least one of the criteria. Step 6Click Add to add a match criteria for the class map. The Add Instant Messaging (IM) Match Criterion dialog box appears. Step 7In the Match Type field, click the Match or No Match radio button. Step 8In the Criterion drop-down list, select one of the following options and specify the criteria value. Depending on which option you select, the Value fields dynamically refresh to display the appropriate values for that criteria. Protocol—Select to match traffic of a specific IM protocol, such as Yahoo Messenger or MSN Messenger. Service—Select to match a specific IM service, such as chat, file-transfer, webcam, voice-chat, conference, or games. Version—Select to match the version of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list. See Configuring Regular Expressions, page 20-20 in the general operations configuration guide. Client Login Name—Select to match the source login name of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list. See Configuring Regular Expressions, page 20-20 in the general operations configuration guide. Client Peer Login Name—Select to match the destination login name of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list. See Configuring Regular Expressions, page 20-20 in the general operations configuration guide.
![](/img/blank.gif)
11-41 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection Source IP Address—Select to match the source IP address of the IM message. In the Value fields, enter the IP address and netmask of the message source. Destination IP Address—Select to match the destination IP address of the IM message. In the Value fields, enter the IP address and netmask of the message destination. Filename—Select to match the filename of the IM message. In the Value fields, click the Regular Expression or Regular Expression Class option and select an expression from the drop-down list. See Configuring Regular Expressions, page 20-20 in the general operations configuration guide. Step 9Click OK to save the criteria. The Add Instant Messaging (IM) Match Criterion dialog box closes and the criteria appears in the Match Criterion table. Step 10Click OK to save the class map. Select IM Map The Select IM Map dialog box is accessible as follows: Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map The Select IM Map dialog box lets you select or create a new IM map. An IM map lets you change the configuration values used for IM application inspection. The Select IM Map table provides a list of previously configured maps that you can select for application inspection. Fields Add—Opens the Add Policy Map dialog box for the inspection. IP Options Inspection This section describes the IP Options inspection engine. This section includes the following topics: IP Options Inspection Overview, page 11-41 Configuring IP Options Inspection, page 11-42 Select IP Options Inspect Map, page 11-43 IP Options Inspect Map, page 11-44 Add/Edit IP Options Inspect Map, page 11-44 IP Options Inspection Overview Each IP packet contains an IP header with the Options field. The Options field, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for most common communications. In particular, IP Options include provisions for time stamps, security, and special routing. Use of IP Options is optional, and the field can contain zero, one, or more options. You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the specified IP options and then allow the packet to pass. IP Options inspection can check for the following three IP options in a packet:
![](/img/blank.gif)
11-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection End of Options List (EOOL) or IP Option 0—This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length. No Operation (NOP) or IP Option 1—The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align the options on a 32-bit boundary. Router Alert (RTRALT) or IP Option 20—This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path. NoteIP Options inspection is included by default in the global inspection policy. Therefore, the ASA allows RSVP traffic that contains packets with the Router Alert option (option 20) when the ASA is in routed mode. Dropping RSVP packets containing the Router Alert option can cause problems in VoIP implementations. When you configure the ASA to clear the Router Alert option from IP headers, the IP header changes in the following ways: The Options field is padded so that the field ends on a 32 bit boundary. Internet header length (IHL) changes. The total length of the packet changes. The checksum is recomputed. If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether the ASA is configured to allow these options, the ASA will drop the packet. Configuring IP Options Inspection Use the Add Service Policy Rule Wizard - Rule Actions dialog box to configure IP Options inspection. This wizard is available from the Configuration > Firewall > Service Policy Rules > Add > Add Service Policy Rule Wizard - Rule Actions dialog box. Step 1Open the Add Service Policy Rule Wizard by selecting Configuration > Firewall > Service Policy Rules > Add. Perform the steps to complete the Service Policy, Traffic Classification Criteria, and Traffic Match - Destination Port pages of the wizard. See the “Adding a Service Policy Rule for Through Traffic” section on page 1-8. The Add Service Policy Rule Wizard - Rule Actions dialog box opens. Step 2Check the IP-Options check box. Step 3Click Configure. The Select IP Options Inspect Map dialog box opens. Step 4Perform one of the following:
![](/img/blank.gif)
11-43 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection Click the Use the default IP-Options inspection map radio button to use the default IP Options map. The default map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No Operation (NOP), and Router Alert (RTRALT). Click the Select an IP-Options inspect map for fine control over inspection radio button to select a defined application inspection map. Click Add to open the Add IP-Options Inspect Map dialog box and create a new inspection map. Step 5(Optional) If you clicked Add to create a new inspection map, define the following values for IP Options Inspection: a.Enter a name for the inspection map. b.Enter a description for the inspection map, up to 200 characters long. c.From the Parameters area, select which IP options you want to pass through the ASA or clear and then pass through the ASA: –Allow packets with the End of Options List (EOOL) option This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length. –Allow packets with the No Operation (NOP) option The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align the options on a 32-bit boundary. –Allow packets with the Router Alert (RTRALT) option This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path. –Clear the option value from the packets When an option is checked, the Clear the option value from the packets check box becomes available for that option. Select the Clear the option value from the packets check box to clear the option from the packet before allowing the packet through the ASA. d.Click OK. Step 6Click OK. Step 7Click Finish. Select IP Options Inspect Map The Select IP Options Inspect Map dialog box is accessible as follows: Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IM Map
![](/img/blank.gif)
11-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IP Options Inspection The Select IP-Options Inspect Map dialog box lets you select or create a new IP Options inspection map. Use this inspection map to control whether the ASA drops, passes, or clears IP packets containing the following IP options—End of Options List, No Operations, and Router Alert. Fields Use the default IP-Options inspection map—Specifies to use the default IP Options map. The default map drops packets containing all the inspected IP options, namely End of Options List (EOOL), No Operation (NOP), and Router Alert (RTRALT). Select an IP-Options map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add IP Options Inspect Map dialog box for the inspection. IP Options Inspect Map The IP Options Inspect Maps pane lets you view previously configured IP Options inspection maps. An IP Options inspection map lets you change the default configuration values used for IP Option inspection. You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the security appliance. Configuring this inspection instructs the security appliance to allow a packet to pass or to clear the specified IP options and then allow the packet to pass. In particular, you can control whether the security appliance drops, clears, or passes packets containing the Router Alert (RTRALT) option. Dropping RSVP packets containing the Router Alert option can cause problems in VoIP implementations. Therefore, you can create IP Options inspection maps to pass packets containing the RTRALT option. Fields IP Options Inspect Maps—Table that lists the defined IP Options inspect maps. Add—Configures a new IP Options inspect map. Edit—Edits an existing IP Options inspect map. To edit an IP Options inspect map, choose the entry in the table and click Edit. Delete—Deletes the inspect map selected in the IP Options Inspect Maps table. Add/Edit IP Options Inspect Map The Add/Edit IP Options Inspect Map lets you configure the settings for IP Options inspection maps. Fields Name—When adding an IP Options inspection map, enter the name of the map. When editing a map, the name of the previously configured map is shown. Description—Enter the description of the IP Options inspection map, up to 200 characters in length. Parameters—Select which IP options you want to pass through the ASA or clear and then pass through the ASA: –Allow packets with the End of Options List (EOOL) option This option, which contains just a single zero byte, appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.
![](/img/blank.gif)
11-45 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection –Allow packets with the No Operation (NOP) option The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as “internal padding” to align the options on a 32-bit boundary. –Allow packets with the Router Alert (RTRALT) option This option notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packets delivery path. –Clear the option value from the packets When an option is checked, the Clear the option value from the packets check box becomes available for that option. Select the Clear the option value from the packets check box to clear the option from the packet before allowing the packet through the ASA. IPsec Pass Through Inspection This section describes the IPsec Pass Through inspection engine. This section includes the following topics: IPsec Pass Through Inspection Overview, page 11-45 Select IPsec-Pass-Thru Map, page 11-46 IPsec Pass Through Inspect Map, page 11-46 Add/Edit IPsec Pass Thru Policy Map (Security Level), page 11-47 Add/Edit IPsec Pass Thru Policy Map (Details), page 11-47 IPsec Pass Through Inspection Overview Internet Protocol Security (IPsec) is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (for example, computer users or servers), between a pair of security gateways (such as routers or firewalls), or between a security gateway and a host. IPsec Pass Through application inspection provides convenient traversal of ESP (IP protocol 50) and AH (IP protocol 51) traffic associated with an IKE UDP port 500 connection. It avoids lengthy ACL configuration to permit ESP and AH traffic and also provides security using timeout and max connections. Specify IPsec Pass Through inspection parameters to identify a specific map to use for defining the parameters for the inspection. Configure a policy map for Specify IPsec Pass Through inspection to access the parameters configuration, which lets you specify the restrictions for ESP or AH traffic. You can set the per client max connections and the idle timeout in parameters configuration. NAT and non-NAT traffic is permitted. However, PAT is not supported.
![](/img/blank.gif)
11-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection Select IPsec-Pass-Thru Map The Select IPsec-Pass-Thru Map dialog box is accessible as follows: Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select IPsec-Pass-Thru Map The Select IPsec-Pass-Thru dialog box lets you select or create a new IPsec map. An IPsec map lets you change the configuration values used for IPsec application inspection. The Select IPsec Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default IPsec inspection map—Specifies to use the default IPsec map. Select an IPsec map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. IPsec Pass Through Inspect Map The IPsec Pass Through Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > IPsec Pass Through The IPsec Pass Through pane lets you view previously configured IPsec Pass Through application inspection maps. An IPsec Pass Through map lets you change the default configuration values used for IPsec Pass Through application inspection. You can use an IPsec Pass Through map to permit certain flows without using an ACL. Fields IPsec Pass Through Inspect Maps—Table that lists the defined IPsec Pass Through inspect maps. Add—Configures a new IPsec Pass Through inspect map. To edit an IPsec Pass Through inspect map, select the IPsec Pass Through entry in the IPsec Pass Through Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the IPsec Pass Through Inspect Maps table. Security Level—Select the security level (high or low). –Low—Default. Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00. –High Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30. –Customize—Opens the Add/Edit IPsec Pass Thru Policy Map dialog box for additional settings.