beautypg.com

Icmp inspection – Cisco ASA 5505 User Manual

Page 896

background image

43-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

ICMP Inspection

Step 7

To configure parameters that affect the inspection engine, perform the following steps:

a.

To enter parameters configuration mode, enter the following command:

hostname(config-pmap)# parameters

hostname(config-pmap-p)#

b.

To check for HTTP protocol violations, enter the following command:

hostname(config-pmap-p)# protocol-violation [action [drop-connection | reset | log]]

Where the drop-connection action closes the connection. The reset action closes the connection
and sends a TCP reset to the client. The log action sends a system log message when this policy map
matches traffic.

c.

To substitute a string for the server header field, enter the following command:

hostname(config-pmap-p)# spoof-server string

Where the string argument is the string to substitute for the server header field. Note: WebVPN
streams are not subject to the spoof-server comand.

The following example shows how to define an HTTP inspection policy map that will allow and log any
HTTP connection that attempts to access “www\.xyz.com/.*\.asp" or "www\.xyz[0-9][0-9]\.com" with
methods "GET" or "PUT." All other URL/Method combinations will be silently allowed.

hostname(config)# regex url1 “www\.xyz.com/.*\.asp”

hostname(config)# regex url2 “www\.xyz[0-9][0-9]\.com”

hostname(config)# regex get “GET”

hostname(config)# regex put “PUT”

hostname(config)# class-map type regex match-any url_to_log

hostname(config-cmap)# match regex url1

hostname(config-cmap)# match regex url2

hostname(config-cmap)# exit

hostname(config)# class-map type regex match-any methods_to_log

hostname(config-cmap)# match regex get

hostname(config-cmap)# match regex put

hostname(config-cmap)# exit

hostname(config)# class-map type inspect http http_url_policy

hostname(config-cmap)# match request uri regex class url_to_log

hostname(config-cmap)# match request method regex class methods_to_log

hostname(config-cmap)# exit

hostname(config)# policy-map type inspect http http_policy

hostname(config-pmap)# class http_url_policy

hostname(config-pmap-c)# log

ICMP Inspection

The ICMP inspection engine allows ICMP traffic to have a “session” so it can be inspected like TCP and
UDP traffic. Without the ICMP inspection engine, we recommend that you do not allow ICMP through
the ASA in an access list. Without stateful inspection, ICMP can be used to attack your network. The
ICMP inspection engine ensures that there is only one response for each request, and that the sequence
number is correct.