Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
12-35 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Minimum prefix length: 4 Media timeout: 00:05:00 Signaling timeout: 01:00:00. RTP conformance: Not enforced. –Medium Registration: Not enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No. –High Registration: Enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Maximum prefix length: 65536. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: Yes. –Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters. –Customize—Opens the Add/Edit SCCP (Skinny) Policy Map dialog box for additional settings. –Default Level—Sets the security level back to the default level of Low. Message ID Filtering Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > Message ID Filtering The Message ID Filtering dialog box lets you configure the settings for a message ID filter. Fields Match Type—Shows the match type, which can be a positive or negative match. Criterion—Shows the criterion of the inspection. Value—Shows the value to match in the inspection. Action—Shows the action if the match condition is met. Log—Shows the log state. Add—Opens the Add Message ID Filtering dialog box to add a message ID filter. Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter.
12-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Delete—Deletes a message ID filter. Move Up—Moves an entry up in the list. Move Down—Moves an entry down in the list. Add/Edit SCCP (Skinny) Policy Map (Security Level) Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Basic View The Add/Edit SCCP (Skinny) Policy Map pane lets you configure the security level and additional settings for SCCP (Skinny) application inspection maps. Fields Name—When adding an SCCP (Skinny) map, enter the name of the SCCP (Skinny) map. When editing an SCCP (Skinny) map, the name of the previously configured SCCP (Skinny) map is shown. Description—Enter the description of the SCCP (Skinny) map, up to 200 characters in length. Security Level—Select the security level (high or low). –Low—Default. Registration: Not enforced. Maximum message ID: 0x181. Minimum prefix length: 4 Media timeout: 00:05:00 Signaling timeout: 01:00:00. RTP conformance: Not enforced. –Medium Registration: Not enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced. Limit payload to audio or video, based on the signaling exchange: No. –High Registration: Enforced. Maximum message ID: 0x141. Minimum prefix length: 4. Maximum prefix length: 65536. Media timeout: 00:01:00. Signaling timeout: 00:05:00. RTP conformance: Enforced.
12-37 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection Limit payload to audio or video, based on the signaling exchange: Yes. –Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters. –Default Level—Sets the security level back to the default. Details—Shows additional parameter, RTP conformance, and message ID filtering settings to configure. Add/Edit SCCP (Skinny) Policy Map (Details) Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Advanced View The Add/Edit SCCP (Skinny) Policy Map pane lets you configure the security level and additional settings for SCCP (Skinny) application inspection maps. Fields Name—When adding an SCCP (Skinny) map, enter the name of the SCCP (Skinny) map. When editing an SCCP (Skinny) map, the name of the previously configured SCCP (Skinny) map is shown. Description—Enter the description of the DNS map, up to 200 characters in length. Security Level—Shows the security level and message ID filtering settings to configure. Parameters—Tab that lets you configure the parameter settings for SCCP (Skinny). –Enforce endpoint registration—Enforce that Skinny endpoints are registered before placing or receiving calls. Maximum Message ID—Specify value of maximum SCCP message ID allowed. –SCCP Prefix Length—Specifies prefix length value in Skinny messages. Minimum Prefix Length—Specify minimum value of SCCP prefix length allowed. Maximum Prefix Length—Specify maximum value of SCCP prefix length allowed. –Media Timeout—Specify timeout value for media connections. –Signaling Timeout—Specify timeout value for signaling connections. RTP Conformance—Tab that lets you configure the RTP conformance settings for SCCP (Skinny). –Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance. Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio/video based on the signaling exchange. Message ID Filtering—Tab that lets you configure the message ID filtering settings for SCCP (Skinny). –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the inspection. –Value—Shows the value to match in the inspection. –Action—Shows the action if the match condition is met. –Log—Shows the log state. –Add—Opens the Add Message ID Filtering dialog box to add a message ID filter.
12-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 12 Configuring Inspection for Voice and Video Protocols Skinny (SCCP) Inspection –Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter. –Delete—Deletes a message ID filter. –Move Up—Moves an entry up in the list. –Move Down—Moves an entry down in the list. Add/Edit Message ID Filter Configuration > Global Objects > Inspect Maps > SCCP (Skinny) > SCCP (Skinny) Inspect Map > Advanced View > Add/Edit Message ID Filter The Add Message ID Filter dialog box lets you configure message ID filters. Fields Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of SCCP (Skinny) traffic to match. –Message ID—Match specified message ID. Message ID—Specify value of maximum SCCP message ID allowed. –Message ID Range—Match specified message ID range. Lower Message ID—Specify lower value of SCCP message ID allowed. Upper Message ID—Specify upper value of SCCP message ID allowed. Action—Drop packet. Log—Enable or disable.
CH A P T E R 13-1 Cisco ASA Series Firewall ASDM Configuration Guide 13 Configuring Inspection of Database and Directory Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput. Several common inspection engines are enabled on the ASA by default, but you might need to enable others depending on your network. This chapter includes the following sections: ILS Inspection, page 13-1 SQL*Net Inspection, page 13-2 Sun RPC Inspection, page 13-3 ILS Inspection The ILS inspection engine provides NAT support for Microsoft NetMeeting, SiteServer, and Active Directory products that use LDAP to exchange directory information with an ILS server. The ASA supports NAT for ILS, which is used to register and locate endpoints in the ILS or SiteServer Directory. PAT cannot be supported because only IP addresses are stored by an LDAP database. For search responses, when the LDAP server is located outside, NAT should be considered to allow internal peers to communicate locally while registered to external LDAP servers. For such search responses, xlates are searched first, and then DNAT entries to obtain the correct address. If both of these searches fail, then the address is not changed. For sites using NAT 0 (no NAT) and not expecting DNAT interaction, we recommend that the inspection engine be turned off to provide better performance. Additional configuration may be necessary when the ILS server is located inside the ASA border. This would require a hole for outside clients to access the LDAP server on the specified port, typically TCP 389. Because ILS traffic only occurs on the secondary UDP channel, the TCP connection is disconnected after the TCP inactivity interval. By default, this interval is 60 minutes and can be adjusted using the timeout command. ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the clients actions, several of these sessions may be created.
13-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configuring Inspection of Database and Directory Protocols SQL*Net Inspection During connection negotiation time, a BIND PDU is sent from the client to the server. Once a successful BIND RESPONSE from the server is received, other operational messages may be exchanged (such as ADD, DEL, SEARCH, or MODIFY) to perform operations on the ILS Directory. The ADD REQUEST and SEARCH RESPONSE PDUs may contain IP addresses of NetMeeting peers, used by H.323 (SETUP and CONNECT messages) to establish the NetMeeting sessions. Microsoft NetMeeting v2.X and v3.X provides ILS support. The ILS inspection performs the following operations: Decodes the LDAP REQUEST/RESPONSE PDUs using the BER decode functions Parses the LDAP packet Extracts IP addresses Translates IP addresses as necessary Encodes the PDU with translated addresses using BER encode functions Copies the newly encoded PDU back to the TCP packet Performs incremental TCP checksum and sequence number adjustment ILS inspection has the following limitations: Referral requests and responses are not supported Users in multiple directories are not unified Single users having multiple identities in multiple directories cannot be recognized by NAT NoteBecause H.225 call signalling traffic only occurs on the secondary UDP channel, the TCP connection is disconnected after the interval specified by the TCP option in the Configuration > Firewall > Advanced > Global Timeouts pane. By default, this interval is set at 60 minutes. SQL*Net Inspection SQL*Net inspection is enabled by default. The SQL*Net protocol consists of different packet types that the ASA handles to make the data stream appear consistent to the Oracle applications on either side of the ASA. The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but this value does not agree with IANA port assignments for Structured Query Language (SQL). NoteDisable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The security appliance acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues. The ASA translates all addresses and looks in the packets for all embedded ports to open for SQL*Net Version 1. For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets with a zero data length will be fixed up. The packets that need fix-up contain embedded host/port addresses in the following format: (ADDRESS=(PROTOCOL=tcp)(DEV=6)(HOST=a.b.c.d)(PORT=a))
13-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection SQL*Net Version 2 TNSFrame types (Connect, Accept, Refuse, Resend, and Marker) will not be scanned for addresses to NAT nor will inspection open dynamic connections for any embedded ports in the packet. SQL*Net Version 2 TNSFrames, Redirect, and Data packets will be scanned for ports to open and addresses to NAT, if preceded by a REDIRECT TNSFrame type with a zero data length for the payload. When the Redirect message with data length zero passes through the ASA, a flag will be set in the connection data structure to expect the Data or Redirect message that follows to be translated and ports to be dynamically opened. If one of the TNS frames in the preceding paragraph arrive after the Redirect message, the flag will be reset. The SQL*Net inspection engine will recalculate the checksum, change IP, TCP lengths, and readjust Sequence Numbers and Acknowledgment Numbers using the delta of the length of the new and old message. SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend, Marker, Redirect, and Data) and all packets will be scanned for ports and addresses. Addresses will be translated and port connections will be opened. Sun RPC Inspection This section describes Sun RPC application inspection. This section includes the following topics: Sun RPC Inspection Overview, page 13-3 “SUNRPC Server” section on page 13-3 “Add/Edit SUNRPC Service” section on page 13-4 Sun RPC Inspection Overview The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by NFS and NIS. Sun RPC services can run on any port. When a client attempts to access an Sun RPC service on a server, it must learn the port that service is running on. It does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. The client sends the Sun RPC program number of the service and the port mapper process responds with the port number of the service. The client sends its Sun RPC queries to the server, specifying the port identified by the port mapper process. When the server replies, the ASA intercepts this packet and opens both embryonic TCP and UDP connections on that port. The following limitations apply to Sun RPC inspection: NAT or PAT of Sun RPC payload information is not supported. Sun RPC inspection supports inbound ACLs only. Sun RPC inspection does not support outbound ACLs because the inspection engine uses dynamic ACLs instead of secondary connections. Dynamic ACLs are always added on the ingress direction and not on egress; therefore, this inspection engine does not support outbound ACLs. To view the dynamic ACLs configured for the ASA, use the show asp table classify domain permit command. For information about the show asp table classify domain permit command, see the CLI configuration guide. SUNRPC Server Configuration > Properties > SUNRPC Server
13-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 13 Configuring Inspection of Database and Directory Protocols Sun RPC Inspection The Configuration > Firewall > Advanced > SUNRPC Server pane shows which SunRPC services can traverse the ASA and their specific timeout, on a per server basis. Fields Interface—Displays the interface on which the SunRPC server resides. IP address—Displays the IP address of the SunRPC server. Mask—Displays the subnet mask of the IP Address of the SunRPC server. Service ID—Displays the SunRPC program number, or service ID, allowed to traverse the ASA. Protocol—Displays the SunRPC transport protocol (TCP or UDP). Port—Displays the SunRPC protocol port range. Timeout—Displays the idle time after which the access for the SunRPC service traffic is closed. Add/Edit SUNRPC Service Configuration > Properties > SUNRPC Server > Add/Edit SUNRPC Service The Configuration > Firewall > Advanced > SUNRPC Server > Add/Edit SUNRPC Service dialog box lets you specify what SunRPC services are allowed to traverse the ASA and their specific timeout, on a per-server basis. Fields Interface Name—Specifies the interface on which the SunRPC server resides. Protocol—Specifies the SunRPC transport protocol (TCP or UDP). IP address—Specifies the IP address of the SunRPC server. Port—Specifies the SunRPC protocol port range. Mask—Specifies the subnet mask of the IP Address of the SunRPC server. Timeout—Specifies the idle time after which the access for the SunRPC service traffic is closed. Format is HH:MM:SS. Service ID—Specifies the SunRPC program number, or service ID, allowed to traverse the ASA.
CH A P T E R 14-1 Cisco ASA Series Firewall ASDM Configuration Guide 14 Configuring Inspection for Management Application Protocols This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA to do a deep packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput. Several common inspection engines are enabled on the ASA by default, but you might need to enable others depending on your network. This chapter includes the following sections: DCERPC Inspection, page 14-1 GTP Inspection, page 14-4 RADIUS Accounting Inspection, page 14-10 RSH Inspection, page 14-13 SNMP Inspection, page 14-13 XDMCP Inspection, page 14-15 DCERPC Inspection This section describes the DCERPC inspection engine. This section includes the following topics: DCERPC Overview, page 14-1 “Select DCERPC Map” section on page 14-2 “DCERPC Inspect Map” section on page 14-2 “Add/Edit DCERPC Policy Map” section on page 14-3 DCERPC Overview DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
14-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 14 Configuring Inspection for Management Application Protocols DCERPC Inspection This typically involves a client querying a server called the Endpoint Mapper listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection. DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts. NoteDCERPC inspection only supports communication between the EPM and clients to open pinholes through theASA. Clients using RPC communication that does not use the EPM is not supported with DCERPC inspection. Select DCERPC Map Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select DCERPC Map The Select DCERPC Map dialog box lets you select or create a new DCERPC map. A DCERPC map lets you change the configuration values used for DCERPC application inspection. The Select DCERPC Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default DCERPC inspection map—Specifies to use the default DCERPC map. Select a DCERPC map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. DCERPC Inspect Map Configuration > Global Objects > Inspect Maps > DCERPC The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection. DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely. This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.