Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 326
11-52
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 11 Configuring Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP
control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC
1701, RFC 1702].
Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response
sequence. Only PPTP Version...](http://img.usermanuals.tech/thumb/17/104530/w64_asdm-7-user-guide-1524000661_d-325.png "Page 326
11-52
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 11 Configuring Inspection of Basic Internet Protocols
SMTP and Extended SMTP Inspection
PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP
control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC
1701, RFC 1702].
Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response
sequence. Only PPTP Version...")
11-47 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPsec Pass Through Inspection –Default Level—Sets the security level back to the default level of Low. Add/Edit IPsec Pass Thru Policy Map (Security Level) The Add/Edit IPsec Pass Thru Policy Map (Security Level) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > IPsec Pass Through> IPsec Pass Through Inspect Map > Basic View The Add/Edit IPsec Pass Thru Policy Map pane lets you configure the security level and additional settings for IPsec Pass Thru application inspection maps. Fields Name—When adding an IPsec Pass Thru map, enter the name of the IPsec Pass Thru map. When editing an IPsec Pass Thru map, the name of the previously configured IPsec Pass Thru map is shown. Security Level—Select the security level (high or low). –Low—Default. Maximum ESP flows per client: Unlimited. ESP idle timeout: 00:10:00. Maximum AH flows per client: Unlimited. AH idle timeout: 00:10:00. –High Maximum ESP flows per client:10. ESP idle timeout: 00:00:30. Maximum AH flows per client: 10. AH idle timeout: 00:00:30. –Default Level—Sets the security level back to the default level of Low. Details—Shows additional parameter settings to configure. Add/Edit IPsec Pass Thru Policy Map (Details) The Add/Edit IPsec Pass Thru Policy Map (Details) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps >IPsec Pass Through > IPsec Pass Through Inspect Map > Advanced View The Add/Edit IPsec Pass Thru Policy Map pane lets you configure the security level and additional settings for IPsec Pass Thru application inspection maps. Fields Name—When adding an IPsec Pass Thru map, enter the name of the IPsec Pass Thru map. When editing an IPsec Pass Thru map, the name of the previously configured IPsec Pass Thru map is shown. Description—Enter the description of the IPsec Pass Through map, up to 200 characters in length. Security Level—Shows the security level settings to configure.
11-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Parameters—Configures ESP and AH parameter settings. –Limit ESP flows per client—Limits ESP flows per client. Maximum—Specify maximum limit. –Apply ESP idle timeout—Applies ESP idle timeout. Timeout—Specify timeout. –Limit AH flows per client—Limits AH flows per client. Maximum—Specify maximum limit. –Apply AH idle timeout—Applies AH idle timeout. Timeout—Specify timeout. IPv6 Inspection Information about IPv6 Inspection, page 11-48 Default Settings for IPv6 Inspection, page 11-48 (Optional) Configuring an IPv6 Inspection Policy Map, page 11-48 Configuring IPv6 Inspection, page 11-49 Information about IPv6 Inspection IPv6 inspection lets you selectively log or drop IPv6 traffic based on the extension header. In addition, IPv6 inspection can check conformance to RFC 2460 for type and order of extension headers in IPv6 packets. Default Settings for IPv6 Inspection If you enable IPv6 inspection and do not specify an inspection policy map, then the default IPv6 inspection policy map is used, and the following actions are taken: Allows only known IPv6 extension headers Enforces the order of IPv6 extension headers as defined in the RFC 2460 specification If you create an inspection policy map, the above actions are taken by default unless you explicitly disable them. (Optional) Configuring an IPv6 Inspection Policy Map To identify extension headers to drop or log, and/or to disable packet verification, create an IPv6 inspection policy map to be used by the service policy. Detailed Steps Step 1Choose Configuration > Firewall > Objects > Inspect Maps > IPv6. The Configure IPv6 Maps pane appears.
11-49 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols IPv6 Inspection Step 2Click Add. The Add IPv6 Inspection Map dialog box appears. Step 3Enter a name and description for the inspection map. By default, the Enforcement tab is selected and the following options are selected: Permit only known extension headers Enforce extension header order When Permit only known extension headers is selected, the ASA verifies the IPv6 extension header. When Enforce extension header order is selected, the order of IPv6 extension headers as defined in the RFC 2460 Specification is enforced. When these options are specified and an error is detected, the ASA drops the packet and logs the action. Step 4To configure matching in the extension header, click the Header Matches tab. Step 5Click Add to add a match. The Add IPv6 Inspect dialog box appears. a.Select a criterion for the match. When you select any of the following criteria, you can configure to the ASA to drop or log when an IPv6 packet arrives matching the criterion: –Authentication (AH) header –Destination Options header –Encapsulating Security Payload (ESP) header –Fragment header –Hop-by-Hop Options header –Routing header—When Routing header is selected and an IPv6 routing extension header is detected, the ASA takes the specified action when the routing type is matched or a number when the specified routing type range is matched. –Header count—When Header count is selected and an IPv6 routing extension header is detected, the ASA takes the specified action when number of IPv6 extension headers in the packet is more than the specified value. –Routing header address count—When Routing header address count is selected, and an IPv6 routing extension header is detected, the ASA takes the specified action when the number of addresses in the type 0 routing header is more than the value you configure. b.Click OK to save the match criterion. Step 6Repeat Step 5 for each header you want to match. Step 7Click OK to save the IPv6 inspect map. Configuring IPv6 Inspection To enable IPv6 inspection, perform the following steps. Detailed Steps Step 1Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to Chapter 1, “Configuring a Service Policy.”
11-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols NetBIOS Inspection You can configure IPv6 inspection as part of a new service policy rule, or you can edit an existing service policy. Step 2On the Rule Actions dialog box, click the Protocol Inspections tab. Step 3Check the IPv6 check box. Step 4(Optional) To add an IPv6 inspection policy map that you configured in the “(Optional) Configuring an IPv6 Inspection Policy Map” section on page 11-48: a.Click Configure. The Select IPv6 Inspect Map dialog box appears. b.Select the map name, and click OK. Alternatively, you can click the Add button to add a new inspection policy map. Step 5Click OK or Finish. NetBIOS Inspection This section describes the IM inspection engine. This section includes the following topics: NetBIOS Inspection Overview, page 11-50 Select NETBIOS Map, page 11-50 “NetBIOS Inspect Map” section on page 11-51 “Add/Edit NetBIOS Policy Map” section on page 11-51 NetBIOS Inspection Overview NetBIOS inspection is enabled by default. The NetBios inspection engine translates IP addresses in the NetBios name service (NBNS) packets according to the ASA NAT configuration. Select NETBIOS Map The Select NETBIOS Map dialog box is accessible as follows: Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select NetBIOS Map The Select NETBIOS Map dialog box lets you select or create a new NetBIOS map. A NetBIOS map lets you change the configuration values used for NetBIOS application inspection. The Select NetBIOS Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default IM inspection map—Specifies to use the default NetBIOS map. Select a NetBIOS map for fine control over inspection—Lets you select a defined application inspection map or add a new one.
11-51 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols PPTP Inspection Add—Opens the Add Policy Map dialog box for the inspection. NetBIOS Inspect Map The NetBIOS Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > NetBIOS The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection. NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets. It also enforces protocol conformance, checking the various count and length fields for consistency. Fields NetBIOS Inspect Maps—Table that lists the defined NetBIOS inspect maps. Add—Configures a new NetBIOS inspect map. Edit—Edits the selected NetBIOS entry in the NetBIOS Inspect Maps table. Delete—Deletes the inspect map selected in the NetBIOS Inspect Maps table. Add/Edit NetBIOS Policy Map The Add/Edit NetBIOS Policy Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > NetBIOS > NetBIOS Inspect Map > View The Add/Edit NetBIOS Policy Map pane lets you configure the protocol violation settings for NetBIOS application inspection maps. Fields Name—When adding a NetBIOS map, enter the name of the NetBIOS map. When editing an NetBIOS map, the name of the previously configured NetBIOS map is shown. Description—Enter the description of the NetBIOS map, up to 200 characters in length. Check for protocol violations—Checks for protocol violations and executes specified action. –Action—Drop packet or log. –Log—Enable or disable. PPTP Inspection PPTP is a protocol for tunneling PPP traffic. A PPTP session is composed of one TCP channel and usually two PPTP GRE tunnels. The TCP channel is the control channel used for negotiating and managing the PPTP GRE tunnels. The GRE tunnels carries PPP sessions between the two hosts. When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic. Only Version 1, as defined in RFC 2637, is supported.
11-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection PAT is only performed for the modified version of GRE [RFC 2637] when negotiated over the PPTP TCP control channel. Port Address Translation is not performed for the unmodified version of GRE [RFC 1701, RFC 1702]. Specifically, the ASA inspects the PPTP version announcements and the outgoing call request/response sequence. Only PPTP Version 1, as defined in RFC 2637, is inspected. Further inspection on the TCP control channel is disabled if the version announced by either side is not Version 1. In addition, the outgoing-call request and reply sequence are tracked. Connections and xlates are dynamic allocated as necessary to permit subsequent secondary GRE data traffic. The PPTP inspection engine must be enabled for PPTP traffic to be translated by PAT. Additionally, PAT is only performed for a modified version of GRE (RFC2637) and only if it is negotiated over the PPTP TCP control channel. PAT is not performed for the unmodified version of GRE (RFC 1701 and RFC 1702). As described in RFC 2637, the PPTP protocol is mainly used for the tunneling of PPP sessions initiated from a modem bank PAC (PPTP Access Concentrator) to the headend PNS (PPTP Network Server). When used this way, the PAC is the remote client and the PNS is the server. However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user PC that initiates connection to the head-end PAC to gain access to a central network. SMTP and Extended SMTP Inspection This section describes the IM inspection engine. This section includes the following topics: SMTP and ESMTP Inspection Overview, page 11-52 Select ESMTP Map, page 11-53 ESMTP Inspect Map, page 11-54 MIME File Type Filtering, page 11-55 Add/Edit ESMTP Policy Map (Security Level), page 11-55 Add/Edit ESMTP Policy Map (Details), page 11-56 Add/Edit ESMTP Inspect, page 11-57 SMTP and ESMTP Inspection Overview ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities. ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification. Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.
11-53 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection Other extended SMTP commands, such as AT R N, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as “500 Command unknown: XXX.” Incomplete commands are discarded. The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF) characters are ignored. With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply. An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks: Restricts SMTP requests to seven basic SMTP commands and eight extended commands. Monitors the SMTP command-response sequence. Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more information, see RFC 821. SMTP inspection monitors the command and response sequence for the following anomalous signatures: Truncated commands. Incorrect command termination (not terminated with ). The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank space) and “” are only allowed if they are used to define a mail address (“>” must be preceded by “ Rule Actions > Protocol Inspection Tab >Select ESMTP Map The Select ESMTP Map dialog box lets you select or create a new ESMTP map. An ESMTP map lets you change the configuration values used for ESMTP application inspection. The Select ESMTP Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default ESMTP inspection map—Specifies to use the default ESMTP map. Select an ESMTP map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection.
11-54 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection ESMTP Inspect Map The ESMTP Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection. Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay. Fields ESMTP Inspect Maps—Table that lists the defined ESMTP inspect maps. Add—Configures a new ESMTP inspect map. To edit an ESMTP inspect map, choose the ESMTP entry in the ESMTP Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the ESMTP Inspect Maps table. Security Level—Select the security level (high, medium, or low). –Low—Default. Log if command line length is greater than 512 Log if command recipient count is greater than 100 Log if body line length is greater than 1000 Log if sender address length is greater than 320 Log if MIME file name length is greater than 255 –Medium Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than 320 Drop Connections if MIME file name length is greater than 255 –High Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections and log if sender address length is greater than 320 Drop Connections and log if MIME file name length is greater than 255 –MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters. –Customize—Opens the Add/Edit ESMTP Policy Map dialog box for additional settings.
11-55 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection –Default Level—Sets the security level back to the default level of Low. MIME File Type Filtering The MIME File Type Filtering dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP > MIME File Type Filtering The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter. Fields Match Type—Shows the match type, which can be a positive or negative match. Criterion—Shows the criterion of the inspection. Value—Shows the value to match in the inspection. Action—Shows the action if the match condition is met. Log—Shows the log state. Add—Opens the Add MIME File Type Filter dialog box to add a MIME file type filter. Edit—Opens the Edit MIME File Type Filter dialog box to edit a MIME file type filter. Delete—Deletes a MIME file type filter. Move Up—Moves an entry up in the list. Move Down—Moves an entry down in the list. Add/Edit ESMTP Policy Map (Security Level) The Add/Edit ESMTP Policy Map (Security Level) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Basic View The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps. Fields Name—When adding an ESMTP map, enter the name of the ESMTP map. When editing an ESMTP map, the name of the previously configured ESMTPS map is shown. Description—Enter the description of the ESMTP map, up to 200 characters in length. Security Level—Select the security level (high, medium, or low). –Low—Default. Log if command line length is greater than 512 Log if command recipient count is greater than 100 Log if body line length is greater than 1000 Log if sender address length is greater than 320 Log if MIME file name length is greater than 255 –Medium Obfuscate Server Banner
11-56 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols SMTP and Extended SMTP Inspection Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections if sender address length is greater than 320 Drop Connections if MIME file name length is greater than 255 –High Obfuscate Server Banner Drop Connections if command line length is greater than 512 Drop Connections if command recipient count is greater than 100 Drop Connections if body line length is greater than 1000 Drop Connections and log if sender address length is greater than 320 Drop Connections and log if MIME file name length is greater than 255 –MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters. –Default Level—Sets the security level back to the default level of Low. Details—Shows the Parameters and Inspections tabs to configure additional settings. Add/Edit ESMTP Policy Map (Details) The Add/Edit ESMTP Policy Map (Details) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps. Fields Name—When adding an ESMTP map, enter the name of the ESMTP map. When editing an ESMTP map, the name of the previously configured ESMTP map is shown. Description—Enter the description of the ESMTP map, up to 200 characters in length. Security Level—Shows the security level and mime file type filtering settings to configure. Parameters—Tab that lets you configure the parameters for the ESMTP inspect map. –Mask server banner—Enforces banner obfuscation. –Configure Mail Relay—Enables ESMTP mail relay. Domain Name—Specifies a local domain. Action—Drop connection or log. Log—Enable or disable. Inspections—Tab that shows you the ESMTP inspection configuration and lets you add or edit. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the ESMTP inspection. –Value—Shows the value to match in the ESMTP inspection.