Cisco PIX 525 Specifiche Pagina 331
- Pagina / 604
- Indice
- RISOLUZIONE PROBLEMI
- SEGNALIBRI
Valutato. / 5. Basato su recensioni clienti
21-5
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 21 Applying Application Layer Protocol Inspection
Applying Application Inspection to Selected Traffic
Applying Application Inspection to Selected Traffic
This section describes how to identify traffic to which you want to apply an inspection engine, how to
associate the inspection engine with a particular security policy, and how to apply the policy to one or
more interfaces on the security appliance. This section includes the following topics:
• Overview, page 21-5
• Identifying Traffic with a Traffic Class Map, page 21-6
• Using an Application Inspection Map, page 21-8
• Defining Actions with a Policy Map, page 21-9
• Applying a Security Policy to an Interface, page 21-10
Overview
Application inspection is enabled by default for many protocols, while it is disabled for other protocols.
In most cases, you can change the port on which the application inspection listens for traffic. To change
the default configuration for application inspection for any application inspection engine, use the
Modular Policy Framework CLI.
Modular Policy Framework provides a consistent and flexible way to configure security appliance
features in a manner to similar to Cisco IOS software Modular Quality of Server (QoS) CLI.
To use Modular Policy Framework to enable application inspection, perform the following steps:
Step 1 (Optional) Define a traffic class by entering the class-map command.
A traffic class is a set of traffic that is identifiable by its packet content. You only need to perform this
step if you want to change the default port assignments for application inspection or identify traffic to
be subjected to application inspection using other criteria, such as the IP address. For a list of default
port assignments used for application inspection, see Table 21-1.
Step 2 Create a policy map by associating the traffic class with one or more actions by entering the policy-map
command.
An action is a security feature, such as application inspection, that helps protect information or resources
on one or more protected network interfaces. Application inspection for a specific protocol is one type
of action that can be applied using Modular Policy Framework.
Step 3 (Optional) Use an application inspection map to change the parameters used for certain application
inspection engines.
The application inspection map command enables the configuration mode for a specific application
inspection engine, from where you can enter the commands required to change the configuration. The
supported application inspection map commands include the following:
• ftp-map—See Managing FTP Inspection, page 21-14.
• gtp-map—See Managing GTP Inspection, page 21-19.
• http-map—See Managing HTTP Inspection, page 21-30.
• mgcp-map—See Managing MGCP Inspection, page 21-33.
• snmp-map—See Managing SNMP Inspection, page 21-53.
For detailed information about the syntax for each of these commands, see the Cisco Security Appliance
Command Reference.
- Configuration Guide 1
- CONTENTS 3
- 2 Getting Started 2-1 4
- 9 Configuring IPv6 9-1 6
- 11 Configuring Failover 11-1 7
- 2 Configuring the Firewall 9
- 14 Applying NAT 14-1 10
- Contents 11
- OL-6721-01 11
- 20 Applying QoS Policies 20-1 13
- 3 Configuring VPN 16
- 4 System Administration 19
- B Sample Configurations B-1 21
- About This Guide 23
- Related Documentation 24
- Document Organization 24
- Part 3: Configuring VPN 25
- Document Conventions 26
- Obtaining Documentation 27
- Documentation Feedback 27
- Submitting a Service Request 28
- Firewall Functional Overview 33
- Security Policy Overview 34
- Stateful Inspection Overview 36
- VPN Functional Overview 37
- Security Context Overview 37
- Security Context Overview 38
- Getting Started 39
- Saving Configuration Changes 41
- Viewing the Configuration 41
- Interface.” 43
- Unsupported Features 46
- Context Configuration Files 46
- Shared Interface Guidelines 51
- Cascading Security Contexts 53
- Restoring Single Context Mode 55
- Configuring Ethernet Settings 57
- Configuring Subinterfaces 58
- Configuring Subinterfaces 60
- Removing a Security Context 65
- Changing the Admin Context 65
- Reloading a Security Context 67
- Monitoring Security Contexts 68
- Viewing Resource Usage 69
- Security Level Overview 71
- Configuring the Interface 72
- Security Level 74
- Configuring Basic Settings 77
- Setting the Hostname 78
- Setting the Domain Name 78
- Setting the Date and Time 78
- Configuring a Static Route 84
- Configuring OSPF 85
- OSPF Overview 86
- Enabling OSPF 87
- Adding a Route Map 88
- Configuring OSPF NSSA 93
- Generating a Default Route 95
- Monitoring OSPF 97
- Restarting the OSPF Process 97
- Configuring RIP 98
- Configuring Multicast Routing 99
- Enabling Multicast Routing 100
- Configuring IGMP Features 100
- Configuring Group Membership 101
- Changing the IGMP Version 103
- Configuring PIM Features 104
- Configuring DHCP 106
- Configuring DHCP Options 108
- Configuring the DHCP Client 110
- Configuring IPv6 111
- Configuring IPv6 Access Lists 114
- The show ipv6 route Command 116
- IPv6 Configuration Example 117
- AAA Overview 119
- About Authentication 120
- About Authorization 120
- About Accounting 120
- Summary of Support 121
- RADIUS Server Support 122
- TACACS+ Server Support 123
- SDI Server Support 124
- NT Server Support 125
- Kerberos Server Support 125
- LDAP Server Support 126
- Local Database Support 126
- Fallback Support 127
- Configuring Failover 133
- Failover System Requirements 134
- The Failover and State Links 135
- State Link 136
- Active/Standby Failover 137
- Understanding Failover 138
- Command Replication 139
- Failover Triggers 140
- Failover Actions 140
- Active/Active Failover 141
- Regular and Stateful Failover 145
- Failover Health Monitoring 146
- Prerequisites 148
- Configuring the Primary Unit 150
- Configuring Failover Criteria 154
- Configure the Primary Unit 157
- Configure the Secondary Unit 159
- Figure 11-1 ASR Example 163
- Configuring Failover 164
- Show Failover—Active/Active 169
- Viewing Monitored Interfaces 173
- Forcing Failover 174
- Disabling Failover 175
- Monitoring Failover 175
- Debug Messages 176
- Configuring the Firewall 185
- Firewall Mode Overview 187
- IP Routing Support 188
- Network Address Translation 188
- Routed Mode Overview 189
- Figure 12-2 Inside to Outside 190
- Transparent Mode Overview 194
- Transparent Firewall Features 195
- Transparent Mode Overview 196
- Access List Overview 203
- Access List Types and Uses 204
- Access List Overview 206
- VPN Access (Extended) 207
- Access List Guidelines 208
- Access Control Implicit Deny 209
- Adding a Standard Access List 215
- Adding Object Groups 216
- Adding a Network Object Group 217
- Adding a Service Object Group 217
- Nesting Object Groups 219
- Displaying Object Groups 221
- Removing Object Groups 221
- Time Range Options 222
- Logging Access List Activity 222
- Access List Logging Overview 223
- access_list_name 224
- Managing Deny Flows 225
- Applying NAT 227
- Introduction to NAT 228
- NAT Control 229
- Chapter 14 Applying NAT 230
- NAT Overview 230
- NAT Types 231
- Static NAT 233
- Static PAT 233
- Figure 14-7 Static PAT 234
- Policy NAT 235
- Mapped Address Guidelines 239
- DNS and NAT 240
- Configuring NAT Control 241
- Using Dynamic NAT and PAT 242
- Global 2: 209.165.201.11 245
- NAT 2: 192.168.1.0/24 245
- Figure 14-19 Dynamic NAT 248
- Figure 14-20 Dynamic PAT 248
- Using Static NAT 251
- Using Static PAT 252
- Bypassing NAT 255
- 209.165.201.1 209.165.201.1 256
- Inside Outside 256
- 209.165.201.2 209.165.201.2 256
- Security 256
- Appliance 256
- Configuring NAT Exemption 257
- NAT Examples 258
- Overlapping Networks 259
- Redirecting Ports 260
- NAT Examples 262
- AAA Performance 269
- Authentication Overview 270
- Applying Filtering Services 281
- Filtering ActiveX Objects 282
- Filtering Java Applets 283
- Filtering Overview 284
- General Procedure 285
- Filtering HTTP URLs 287
- Filtering HTTPS URLs 288
- Filtering FTP Requests 289
- Viewing Caching Statistics 291
- Overview 293
- Class Map Example 296
- Policy Map Procedure 297
- Policy Map Examples 298
- Restrictions 299
- Action Order 301
- Advanced Options 302
- Types of Direction Policies 303
- Implicit Direction Policies 303
- Examples 303
- Service Policy and NAT 306
- Configuring TCP Normalization 310
- Preventing IP Spoofing 311
- Configuring the Fragment Size 313
- Blocking Unwanted Connections 313
- Applying QoS Policies 315
- QoS Concepts 316
- Identifying Traffic for QoS 317
- Classifying Traffic for QoS 318
- Defining a QoS Policy Map 320
- Applying Rate Limiting 320
- Verifying QoS Statistics 322
- Activating the Service Policy 323
- Applying Low Latency Queueing 323
- Configuring Priority Queuing 324
- Sizing the Priority Queue 324
- Reducing Queue Latency 324
- Viewing QoS Statistics 325
- How Inspection Engines Work 328
- Supported Protocols 329
- Managing CTIQBE Inspection 336
- Managing FTP Inspection 340
- Configuring FTP Inspection 341
- Managing GTP Inspection 345
- Managing H.323 Inspection 350
- Limitations and Restrictions 351
- Monitoring H.225 Sessions 354
- Monitoring H.245 Sessions 355
- Monitoring H.323 RAS Sessions 355
- Managing HTTP Inspection 356
- Managing MGCP Inspection 359
- MGCP Inspection Overview 360
- Managing MGCP Inspection 361
- Managing RTSP Inspection 365
- RTSP Inspection Overview 366
- Using RealPlayer 366
- Restrictions and Limitations 367
- Managing SIP Inspection 369
- SCCP Inspection Overview 373
- Supporting Cisco IP Phones 374
- Managing SNMP Inspection 379
- SNMP Inspection Overview 380
- Parameters 383
- Adding a Static ARP Entry 384
- Enabling ARP Inspection 384
- MAC Address Table Overview 385
- Adding a Static MAC Address 385
- Viewing the MAC Address Table 386
- Configuring VPN 387
- Configuring IPSec and ISAKMP 389
- IPSec Overview 390
- Configuring ISAKMP 390
- ISAKMP Overview 391
- Configuring ISAKMP Policies 392
- Enabling IPSec over NAT-T 395
- Enabling IPSec over TCP 395
- Configuring IPSec 399
- Understanding Transform Sets 400
- Defining Crypto Maps 400
- Using Interface Access Lists 401
- Configuring IPSec 402
- Changing IPSec SA Lifetimes 403
- Using Dynamic Crypto Maps 406
- Configuring Client Update 412
- Configuring Client Update 414
- • Group Policies, page 25-10 415
- Tunnel Groups 416
- IPSec Connection Parameters 417
- Configuring Tunnel Groups 418
- Group Policies 424
- Default Group Policy 425
- Configuring Group Policies 426
- ACL name 428
- Configuring Users 440
- Configuring Specific Users 441
- Configuring User Attributes 442
- Configuring Users 446
- Configuring AAA Addressing 448
- Configuring DHCP Addressing 449
- Summary of the Configuration 451
- Configuring Interfaces 452
- Outside Interface 453
- Configuring an Address Pool 454
- Adding a User 454
- Creating a Transform Set 454
- Defining a Tunnel Group 455
- Step 4 Save your changes 456
- Step 3 Save your changes 456
- Configuring LAN-to-LAN VPNs 459
- Configuring an ACL 462
- Step 2 Save your changes 465
- Configuring Certificates 467
- Certificate Scalability 468
- About Key Pairs 468
- About Trustpoints 469
- About CRLs 469
- Certificate Configuration 470
- Configuring Key Pairs 471
- Configuring Trustpoints 472
- Obtaining Certificates 474
- [ certificate data omitted ] 476
- [ PKCS12 data omitted ] 480
- System Administration 483
- Managing System Access 485
- Allowing SSH Access 486
- Using an SSH Client 487
- Changing the Login Password 487
- Recovering from a Lockout 499
- Configuring a Login Banner 500
- Configurations 501
- Entering a New Activation Key 502
- Installation Overview 502
- Viewing Files in Flash Memory 502
- Backing Up the Configuration 506
- Using System Log Messages 509
- Using SNMP 509
- Enabling SNMP 511
- Testing Your Configuration 512
- Performing Password Recovery 517
- Other Troubleshooting Tools 519
- Common Problems 520
- Supported Platforms 523
- Platform Feature Licenses 523
- Platform Feature Licenses 524
- VPN Specifications 526
- Cryptographic Standards 527
- VPN Specifications 528
- Sample Configurations 529
- Figure B-2 Example 2 534
- Figure B-3 Example 3 536
- APPENDIX 545
- Command Modes and Prompts 546
- Syntax Formatting 547
- Abbreviating Commands 547
- Command-Line Editing 547
- Command Completion 547
- Command Help 548
- Filtering show Command Output 548
- Command Output Paging 549
- Adding Comments 549
- Text Configuration Files 550
- Line Order 551
- Passwords 551
- Text Configuration Files 552
- Private Networks 554
- Subnet Masks 554
- Determining the Subnet Mask 555
- Class C-Size Network Address 556
- Class B-Size Network Address 556
- IPv6 Addresses 557
- IPv6 Address Types 558
- Global Address 559
- Site-Local Address 559
- Link-Local Address 559
- Unspecified Address 560
- Loopback Address 560
- Interface Identifiers 560
- Multicast Address 560
- Anycast Address 561
- IPv6 Address Prefixes 562
- Protocols and Applications 563
- TCP and UDP Ports 564
- TCP and UDP Ports 565
- Local Ports and Protocols 566
- ICMP Types 567
- ICMP Types 568
- Numerics 569
- Glossary 570
© 2020, manymanuals.it. Tutti i diritti riservati | 0.098 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commenti su questo manuale