[ Pobierz całość w formacie PDF ]
.Keep thisstructure in mind to help you understand the various configuration examples and scenarios that wewill describe later on.105CONFIGURING CLASS-MAPSAs stated above, in this Chapter we will focus only on Layer3/4 Class-Map.This type of class mapclassifies traffic based on Layer3 or Layer4 attributes, such as IP address, port number, DSCP valuesetc.The configuration involves two steps: First configure a name for the class-map and then use the match command under the class-map configuration mode in order to identify the traffic flow.ASA(config)# class-map [class name] ßð assign a name to the class of trafficASA(config-cmap)# match access-list [ACL name] ßðmatch traffic based on ACLASA(config-cmap)# match port [tcp|udp] [eq port_no | range port port]ßðmatch based on portsASA(config-cmap)# match any ßðmatch any trafficASA(config-cmap)# match default-inspection-traffic ßðmatch the default ports for thesupported applications.More on this laterASA(config-cmap)# match dscp [value] ßðmatch specific dscp value(s) in the IP header.E.gdscp ef means match expedited forwarding packets which are usually voice packets.ASA(config-cmap)# match precedence [value] ßðmatch specific precedence value(s) in the IPheader.Similar with dscp.ASA(config-cmap)# match tunnel-group [tunnel name]ßðmatch specific site-to-site VPN tunnelor even remote access VPN groupASA(config-cmap)# match flow ip destination-address ßðthis must be used together with thetunnel-group command aboveASA(config-cmap)# match rtp [start port-end port] ßðmatch port range of RTP trafficDefault Class-Map and default-inspection-trafficBy default, an out-of-the-box Cisco ASA appliance has a class-map already configured whichmatches the default-inspection-traffic.You can view this default class-map in the configuration byusing the show run class-map command.ASA(config)# show run class-mapclass-map inspection_defaultmatch default-inspection-traffic106The keyword default-inspection-traffic is a special name which denotes matching of severaldefault applications and protocols on their default ports, as shown on the table below.Protocol/Application Protocol Type (tcp/udp) PortCTIQBE (Computer Telephony Interface) TCP 2748DNS UDP 53FTP TCP 21GTP (GPRS Tunneling Protocol) UDP 2123*requires special license 3386H323 H225 TCP 1720H323 RAS UDP 1718-1719HTTP TCP 80ICMP N/A N/AILS (LDAP) TCP 389IPSec Pass-Through UDP 500MGCP (Media Gateway Control Protocol) UDP 2427,2727NetBIOS Name Server UDP 137,138 (sourceports)PPTP TCP 1723RADIUS Accounting UDP 1646RSH TCP 514RTSP TCP 554SIP TCP/UDP 5060SCCP (Cisco Skinny) TCP 2000SMTP-ESMTP TCP 25SNMP UDP 161,162SQL*Net TCP 1521SUN RPC UDP 111TFTP UDP 69XDMCP UDP 177Most of the applications and protocols shown above are inspected by the ASA in its defaultconfiguration.For example, an FTP communication through the ASA between an FTP client and107server uses a Control connection on port 21 and a Data connection on port 20.Normally a statefulfirewall would not allow such a communication to go through because the initial connection is onport 21 and the return FTP data traffic is on a different port (20).Using the default-inspection-traffic mechanism described above (together with the inspect command under Global policy-map configuration), the Cisco ASA will inspect the FTP traffic in order to allow both the control andthe data connection flows to pass through with no problems.The rest of the protocols from theTable above either exhibit similar behavior with FTP or generally require some special handling ,therefore they are inspected by the firewall on the application layer for proper communication.Forexample, the voice signaling protocol H323 has to be inspected on the application layer in order forthe firewall to allow the voice RTP (Real Time Protocol) traffic (which works on random range ofUDP ports) to pass through the ASA for a successful VoIP communication.Configuration Example for Class-MapConsider a scenario where we want to apply some specific policies for the traffic reaching ourcompany s Web Server from the Internet.Maybe we need to apply a restriction on the maximumnumber of simultaneous TCP connections allowed to reach our Web Server.Also, we want toprioritize voice traffic having a DSCP value of ef (expedited forwarding) that goes through aspecific site-to-site IPSec VPN tunnel.We will create two class-maps which will classify the trafficthat we described above:ASA(config)# access-list websrv_traffic permit tcp any host 50.50.50.10 eq 80 ßð assume ourpublic web server is host 50.50.50.10ASA(config)# class-map HTTP_To_Web_Server ßð create a class-map for the http trafficASA(config-cmap)# match access-list websrv_traffic ßðmatch traffic going to web serverASA(config)# class-map L2L_Voice_Traffic ßðcreate a class-map for the voice lan-to-lan trafficASA(config-cmap)# match tunnel-group SITE_B_VPN ßðmatch IPSec tunnel group SITE_B_VPNASA(config-cmap)# match dscp ef ßðmatch EF type traffic (i.e voice)Keep in mind the configuration snapshot above because we will refer to it later on when we willdescribe Policy Maps.108CONFIGURING POLICY MAPSAfter classifying the traffic with a class-map, we need to assign this class-map into a Policy-Mapwhich is responsible to apply some actions (policies) on the selected traffic (i.e traffic that matchesa match statement in the class-map).We will focus only on Layer3/4 Policy Maps.The security appliance supports one Policy-Map per interface and one Global Policy-Map.Also, eachPolicy-Map can support multiple Class-Maps and multiple actions on traffic.For instance, in theconfiguration example shown in the previous section for class-maps, we have configured two class-maps, namely HTTP_To_Web_Server and L2L_Voice_Traffic [ Pobierz caÅ‚ość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl trzylatki.xlx.pl
.Keep thisstructure in mind to help you understand the various configuration examples and scenarios that wewill describe later on.105CONFIGURING CLASS-MAPSAs stated above, in this Chapter we will focus only on Layer3/4 Class-Map.This type of class mapclassifies traffic based on Layer3 or Layer4 attributes, such as IP address, port number, DSCP valuesetc.The configuration involves two steps: First configure a name for the class-map and then use the match command under the class-map configuration mode in order to identify the traffic flow.ASA(config)# class-map [class name] ßð assign a name to the class of trafficASA(config-cmap)# match access-list [ACL name] ßðmatch traffic based on ACLASA(config-cmap)# match port [tcp|udp] [eq port_no | range port port]ßðmatch based on portsASA(config-cmap)# match any ßðmatch any trafficASA(config-cmap)# match default-inspection-traffic ßðmatch the default ports for thesupported applications.More on this laterASA(config-cmap)# match dscp [value] ßðmatch specific dscp value(s) in the IP header.E.gdscp ef means match expedited forwarding packets which are usually voice packets.ASA(config-cmap)# match precedence [value] ßðmatch specific precedence value(s) in the IPheader.Similar with dscp.ASA(config-cmap)# match tunnel-group [tunnel name]ßðmatch specific site-to-site VPN tunnelor even remote access VPN groupASA(config-cmap)# match flow ip destination-address ßðthis must be used together with thetunnel-group command aboveASA(config-cmap)# match rtp [start port-end port] ßðmatch port range of RTP trafficDefault Class-Map and default-inspection-trafficBy default, an out-of-the-box Cisco ASA appliance has a class-map already configured whichmatches the default-inspection-traffic.You can view this default class-map in the configuration byusing the show run class-map command.ASA(config)# show run class-mapclass-map inspection_defaultmatch default-inspection-traffic106The keyword default-inspection-traffic is a special name which denotes matching of severaldefault applications and protocols on their default ports, as shown on the table below.Protocol/Application Protocol Type (tcp/udp) PortCTIQBE (Computer Telephony Interface) TCP 2748DNS UDP 53FTP TCP 21GTP (GPRS Tunneling Protocol) UDP 2123*requires special license 3386H323 H225 TCP 1720H323 RAS UDP 1718-1719HTTP TCP 80ICMP N/A N/AILS (LDAP) TCP 389IPSec Pass-Through UDP 500MGCP (Media Gateway Control Protocol) UDP 2427,2727NetBIOS Name Server UDP 137,138 (sourceports)PPTP TCP 1723RADIUS Accounting UDP 1646RSH TCP 514RTSP TCP 554SIP TCP/UDP 5060SCCP (Cisco Skinny) TCP 2000SMTP-ESMTP TCP 25SNMP UDP 161,162SQL*Net TCP 1521SUN RPC UDP 111TFTP UDP 69XDMCP UDP 177Most of the applications and protocols shown above are inspected by the ASA in its defaultconfiguration.For example, an FTP communication through the ASA between an FTP client and107server uses a Control connection on port 21 and a Data connection on port 20.Normally a statefulfirewall would not allow such a communication to go through because the initial connection is onport 21 and the return FTP data traffic is on a different port (20).Using the default-inspection-traffic mechanism described above (together with the inspect command under Global policy-map configuration), the Cisco ASA will inspect the FTP traffic in order to allow both the control andthe data connection flows to pass through with no problems.The rest of the protocols from theTable above either exhibit similar behavior with FTP or generally require some special handling ,therefore they are inspected by the firewall on the application layer for proper communication.Forexample, the voice signaling protocol H323 has to be inspected on the application layer in order forthe firewall to allow the voice RTP (Real Time Protocol) traffic (which works on random range ofUDP ports) to pass through the ASA for a successful VoIP communication.Configuration Example for Class-MapConsider a scenario where we want to apply some specific policies for the traffic reaching ourcompany s Web Server from the Internet.Maybe we need to apply a restriction on the maximumnumber of simultaneous TCP connections allowed to reach our Web Server.Also, we want toprioritize voice traffic having a DSCP value of ef (expedited forwarding) that goes through aspecific site-to-site IPSec VPN tunnel.We will create two class-maps which will classify the trafficthat we described above:ASA(config)# access-list websrv_traffic permit tcp any host 50.50.50.10 eq 80 ßð assume ourpublic web server is host 50.50.50.10ASA(config)# class-map HTTP_To_Web_Server ßð create a class-map for the http trafficASA(config-cmap)# match access-list websrv_traffic ßðmatch traffic going to web serverASA(config)# class-map L2L_Voice_Traffic ßðcreate a class-map for the voice lan-to-lan trafficASA(config-cmap)# match tunnel-group SITE_B_VPN ßðmatch IPSec tunnel group SITE_B_VPNASA(config-cmap)# match dscp ef ßðmatch EF type traffic (i.e voice)Keep in mind the configuration snapshot above because we will refer to it later on when we willdescribe Policy Maps.108CONFIGURING POLICY MAPSAfter classifying the traffic with a class-map, we need to assign this class-map into a Policy-Mapwhich is responsible to apply some actions (policies) on the selected traffic (i.e traffic that matchesa match statement in the class-map).We will focus only on Layer3/4 Policy Maps.The security appliance supports one Policy-Map per interface and one Global Policy-Map.Also, eachPolicy-Map can support multiple Class-Maps and multiple actions on traffic.For instance, in theconfiguration example shown in the previous section for class-maps, we have configured two class-maps, namely HTTP_To_Web_Server and L2L_Voice_Traffic [ Pobierz caÅ‚ość w formacie PDF ]