The Cisco Modular

Policy Framework

Lesson 9

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-1

 Modular Policy
Framework Overview

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-2

 Modular Policy Framework Overview
System Engineers Internet Headquarters

Internet

384 kbps 384 kbps

Site C
Site B

The Cisco Modular Policy Framework provides greater granularity and

more flexibility when configuring network policies.
 Define flows of traffic
 Associate security policy to traffic flows
 Enable a set of security policies on an interface or globally

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-3

 Modular Policy
Systems Engineers Internet Headquarters

Internet

384 kbps 384 kbps

Site C
Site B

Modular policy provides greater granularity and more flexibility

Class Map Policy Map Service Policy
Traffic flow OUTSIDE policy map Interface and Global
INTERNET Inspect
SE Police Outside
S2S_VOICE Priority

Default inspection global_policy Global

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-4

 Configuring a
Class Map

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-5

 Assigning a Class Map Name
Systems Engineers Internet Headquarters

To configure a class map: Internet

 Name a class
 Define matching attributes 384 kbps 384 kbps

Site C
Site B

asa1(config)# class-map INTERNET

asa1(config-cmap)# exit
asa1(config)# class-map SE
asa1(config-cmap)# exit
asa1(config)# class-map S2S_VOICE
 Assigns names to three classes of traffic: INTERNET, SE, and S2S_VOICE

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-6

 Defining a Class of Traffic

Systems Engineers Internet Headquarters

To configure a class map:

 Name a class Internet

 Define matching
attributes 384 kbps 384 kbps

Define a class of traffic by matching: Site C

Site B
 access-list: Match ACL
 any: Match any packet
 default-inspection-traffic: Match inspection commands
 dscp: Match IP differentiated services code point
 flow: Match the destination IP address
 port: Match TCP and UDP port(s)
 precedence: Match IP precedence
 rtp: Match RTP port numbers
 tunnel-group: Match a VPN tunnel group

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-7

 Example: Defining a Class of Traffic
Systems Engineers Internet Headquarters

To configure a class map:

Internet
 Name a class
 Define matching
384 kbps 384 kbps
attributes
Site C
Site B

asa1(config)# class-map SE
asa1(config-cmap)# match tunnel-group SE
asa1(config-cmap)# match flow ip destination-address
asa1(config-cmap)# exit
asa1(config)# class-map S2S_VOICE
asa1(config-cmap)# match tunnel-group SITE_C
asa1(config-cmap)# match dscp cs5

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-8

 show running-config class-map
Command
Systems Engineers Internet Headquarters

Internet

384 kbps 384 kbps

Site C
Site B

asa1(config)# show running-config class-map

class-map INTERNET
match access-list INTERNET
class-map SE
match flow ip destination-address
match tunnel-group SE
class-map S2S_VOICE
match dscp cs5
match tunnel-group SITE_C
class-map inspection_default
match default-inspection-traffic

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-9

 Configuring a
Policy Map

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-10

 Policy Map Overview

These are the steps to configure a Layer

3 or 4 policy map:
 Name the policy map
 Identify a class of traffic
 Associate an action or actions with the class

Class + Policy = Policy Map

INTERNET Inspect
SE Police OUTSIDE_POLICY
S2S_VOICE Priority

Default inspection + inspect = global_policy

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-11

 Assigning a Policy Map Name
Systems Engineers Internet Headquarters

To configure a policy map:

 Name the policy map Internet
 Identify a class
 Associate an action or actions 384 kbps 384 kbps
with the class
Site C
Site B

asa1(config)# policy-map OUTSIDE_POLICY

asa1(config-pmap)# class INTERNET
asa1(config-pmap-c)# ?
 Creates the policy map name OUTSIDE_POLICY
 Assigns the INTERNET class to the OUTSIDE_POLICY policy map

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-12

 Defining a Policy for the Class

Define policy actions associated with one or more

classes of traffic
asa1(config)# policy-map OUTSIDE_POLICY
asa1(config-pmap)# class INTERNET
asa1(config-pmap-c)# ?

MPF policy-map class configuration commands:

csc Content Security and Control service module
exit Exit from MPF class action configuration mode
help Help for MPF policy-map configuration commands
inspect Protocol inspection services
IPS Intrusion Protection services
no Negate or set default values of a command
police Police
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
set Set connection values

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-13

 Policy Directionality and Order of
Application
Policy
applied to Order of Application
interface
 Connection limits,
connection timeouts, and
TCP sequence number
randomization
 CSC
 Application inspection
 IPS
 QoS input policing
 QoS output policing
Policy Policy
applied applied  QoS priority queuing
globally globally

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-14

 CSC Policy Overview
HTTP
Internet SMTP FTP
POP3

CSC

 Identify traffic to be scanned by using an access list match criterion in a class map.
 Use the csc command to:
– Instruct the Cisco ASA CSC SSM to scan traffic specified in the class map.
– Specify how the ASA security appliance should handle matching traffic when the
Cisco ASA CSC SSM is not available.
ciscoasa(config-pmap-c)#
csc { fail-close | fail-open }

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-15

 Example: Content Security and Control
Policy
Web
 Sends the
172.16.1.0 OUTBOUND
Web HTTP
HTTP
class of traffic to
Internet FTP the Cisco ASA
FTP 10.0.1.0
CSC SSM
192.168.1.0
 Blocks traffic if the
Cisco ASA CSC
CSC SSM fails
asa1(config)#access-list CSC_OUT permit tcp 10.0.1.0 255.255.255.0 any
eq 21
asa1(config)#access-list CSC_OUT deny tcp 10.0.1.0 255.255.255.0
172.16.1.0 255.255.255.0 eq 80
asa1(config)#access-list CSC_OUT permit tcp 10.0.1.0 255.255.255.0 any
eq 80
asa1(config)# class-map OUTBOUND
asa1(config-cmap)# match access-list CSC_OUT
asa1(config-cmap)# exit
asa1(config)#policy-map INSIDE_POLICY
asa1(config-pmap)# class OUTBOUND
asa1(config-pmap-c)# csc fail-close

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-16

 Inspection Policy Overview
Headquarters
Inspect
FTP

Internet
 inspect: Keyword to set inspection policy
asa1(config-pmap-c)# help inspect

USAGE:
[no] inspect gtp <gtp_map>
[no] inspect mgcp <mgcp_map>
[no] inspect http <http_map>
[no] inspect snmp <snmp_map>
[no] inspect ftp [strict] [ftp_map]
[no] inspect dcerpc [dcerpc_map]
[no] inspect icmp
[no] inspect icmp error
[no] inspect h323 ras|h225
[no] inspect dns maximum-length <max_pkt_len>
[no] inspect netbios [netbios_map]
[no] inspect pptp |sunrpc | ctiqbe | ils | rsh | rtsp | sip |
skinny | esmtp | sqlnet | xdmcp | tftp | ipsec-pass-thru. . .

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-17

 Intrusion Prevention Policy Overview
Internet Headquarters

Internet

IPS

 IPS: Keyword to set intrusion prevention services policy

 Define Cisco ASA AIP SSM operation
– Inline mode: Directs packets to the Cisco ASA AIP SSM
– Promiscuous mode: Duplicates packets and sends duplicates to
the Cisco ASA AIP SSM
 Define action if Cisco ASA AIP SSM fails
– fail-close: Blocks traffic if the Cisco ASA AIP SSM fails
– fail-open: Permits traffic if the Cisco ASA AIP SSM fails
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-18
 Example: Intrusion Prevention Policy
Internet Headquarters

Internet

IPS

ciscoasa(config-pmap-c)#
IPS {inline | promiscuous} {fail-close | fail-open}

asa1(config)# policy-map OUTSIDE_POLICY

asa1(config-pmap)# class INTERNET
asa1(config-pmap-c)# IPS inline fail-open
 Sends the INTERNET class of packets to the Cisco ASA AIP SSM
 If the Cisco ASA AIP SSM fails, permits traffic

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-19

 Police Policy Overview
Systems Engineers Headquarters

SE T1
Internet

Police Rate – 56,000 bps

Frames
Action:
Burst – 10,500 bytes
Transmit
Action:
Drop
 Specify the direction of the traffic you want to police.
 Define a police rate limit.
 (Optional) Define the burst size.
 (Optional) Define action to be taken when traffic conforms to burst size.
 (Optional) Define action to be taken when traffic exceeds burst size.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-20
 Example: Police Policy
Systems Engineers Headquarters

SE T1
Internet

Police Rate – 56,000 bps

Frames
Burst – 10,500 bytes
Conform:
Transmit
Exceed
(Burst Size):
ciscoasa(config)# Drop
police {input | output} conform-rate [burst-size | conform-action
{drop | transmit} | exceed-action {drop | transmit} ]

asa1(config)# policy-map OUTSIDE_POLICY

asa1(config-pmap)# class SE
asa1(config-pmap-c)# police output 56000 10500 conform-action transmit
exceed-action drop

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-21

 Priority Policy Overview
Headquarters

Internet

Site to Site
Site to Site

Site C
Site B

 Use the priority command to enable low latency queuing for

delay-sensitive, high-priority traffic.
 Use the priority-queue command to enable priority queuing for each
interface on which you want the security appliance to perform priority
queuing.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-22

 Example: Priority Policy
Headquarters

Internet

Site to Site
Site to Site

Site C
Site B

asa1(config)# policy-map OUTSIDE_POLICY

asa1(config-pmap)# class S2S_VOICE
asa1(config-pmap-c)# priority
asa1(config-pmap-c)# exit
asa1(config-pmap)# exit
asa1(config)# priority-queue outside
 Sets low latency queuing policy for site-to-site voice traffic

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-23

 Set Connection Policy Overview
Systems Engineers Internet Headquarters

Internet

384 kbps 384 kbps

Site C
Site B

 advanced-options: Advanced connection parameters

 conn-max: Maximum number of simultaneous connections
 embryonic-conn-max: Maximum number of embryonic connections
 per-client-embryonic-max: Maximum number of TCP embryonic connections per client machine
 per-client-max: Maximum number of per-client connections
 random-sequence-number: Enables or disables TCP sequence number randomization
 Timeout: Connection timeouts

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-24

 Example: Set Connection Policy
Internet Headquarters

Internet

ciscoasa(config)#
set connection {advanced-options tcp_map_name | conn-max
conn_max | embryonic-conn-max econn_max | per-client-max
conn_max | per-client-embryonic-max econn_max | random-
sequence-number {enable | disable}}

asa1(config)# policy-map OUTSIDE_POLICY

asa1(config-pmap)# class DMZ_SERVERS
asa1(config-pmap-c)# set connection conn-max 200
asa1(config-pmap-c)# set connection embryonic-conn-max 25
 Sets the connection and embryonic-connection maximums for DMZ server traffic.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-25

 show running-config policy-map
Command
Systems Engineers Internet Headquarters

Internet

384 kbps 384 kbps

Site C
Site B
asa1# show running-config policy-map
!
policy-map INSIDE_POLICY
class OUTBOUND
csc fail-close
policy-map OUTSIDE_POLICY
class INTERNET
ips inline fail-open
class SE
police output 56000 10500
class S2S_VOICE
priority
. . .

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-26

 Configuring a
Service Policy

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-27

 Service Policy Overview
To configure a service policy:
 Name a policy
 Enable the policy globally or on an interface
Systems Engineers Internet Headquarters

Internet

384 kbps 384 kbps

Site C
Site B

ciscoasa(config)#
service-policy policy_map_name {global | interface if_name}

asa1(config)# service-policy OUTSIDE_POLICY interface outside

 Activates the OUTSIDE_POLICY service policy on the outside interface

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-28

 show running-config service policy
Command

Systems Engineers Internet Headquarters

Internet

service-policy global_policy interface global

service-policy OUTSIDE_POLICY interface outside

 Display all running service policies

asa1# show running-config service-policy
service-policy global_policy global
service-policy OUTSIDE_POLICY interface outside

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-29

 Displaying Service Policies
asa1# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
. . .

Interface outside:
Service-policy: OUTSIDE_POLICY
Class-map: INTERNET
IPS: card-status Up, mode inline fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
Class-map: SE
Output police Interface outside:
cir 56000 bps, bc 10500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: S2S_VOICE
Priority:
. . .

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-30

 Summary

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-31

 Summary

 The Cisco Modular Policy Framework provides greater

granularity and more flexibility for configuring network
policies.
 Configure a class map by naming a class and
specifying a matching class of traffic.
 Configure a policy map by specifying a class and
associating an action to the class of traffic.
 Configure a service policy by specifying a policy map
name and applying the policy map globally or to an
interface.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-32

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—9-33