Inspecting Traffic

the ASA offers much more flexibility through its Modular Policy Framework (MPF). In a nutshell, the MPF provides an organized and scalable means of defining inspection policies for network traffic flows. With the MPF feature, you can define a set of policies that identifies traffic and then takes some specific actions on it. The MPF doesnt replace the use of ACLsit simply augments ACLs with additional functionality The MPF concept might be confusing at first, especially when you begin trying to configure it or reverse engineer it for the first time. Think of the MPF as a set of three nested items: Service policy: An entire set of policies that is applied to one or all ASA interfaces, configured with the service-policy command Policy map: Where an action is taken on matched traffic, configured with the policy-map command Class map: Where specific traffic flows are identified or classified, configured with the class-map command

Because the MPF is designed to be modular, a service policy can contain one or more policy maps, which can, in turn, contain one or more class maps. As well, any class maps you define can be referenced in multiple policy maps and service policies. To get an idea of the MPF structure, you can look at the policies that are configured by default in an ASA. First, you can use the show running-config service-policy command to see which service policies have been defined and applied to the ASA interfaces. Example 9-1 shows a default service policy that refers to something called global_policy, which has been applied globally to all ASA interfaces. A service policy always references a policy mapthe next level down in the MPF hierarchy. Example 9-1 Displaying the Default Service Policies ciscoasa# show running-config service-policy service-policy global_policy global ciscoasa

Now you know that the name of the policy map is global_policy, but what does it do? Next, you can look for the policy map configuration to find out. Use the show running-config policy-map global_policy command to display its contents, as shown in Example 9-2. Example 9-2 Displaying a Policy Map Configuration ciscoasa# show running-config policy-map global_policy ! policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! ciscoasa#

You can use the following steps to configure a security policy: Step 1. Define a Layers 34 class map. Step 2. Define a Layers 34 policy map. Step 3. Apply the policy map to the appropriate interfaces.