CISCO ASA Firewall Commands Cheat Sheet [Part 5-B]

June 14, 2016 | Views: 4704

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome to the latest installment of the CISCO ASA Firewall Commands Cheat Sheet. In this part, we’ll explain Packet inspection and filtering on 5-7 OSI layer in addition to ICMP inspection. This part depends on the previous part to be easily understood.

Let’s begin…

 

Configuring ICMP Inspection

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

exit

 

Note: The ICMP inspection feature is enabled when an access list, which permits incoming ping requests, is enabled. ICMP inspection used to only allow one response per ICMP request and inspect ICMP packets for invalid sequence numbers.

 

Configuring Inspection for 5-7 OSI Layer Traffic

Ø Inspecting HTTP

HTTP inspection policy is implemented to examine and analyze traffic destined to protected servers or clients. It’s main core is to minimize HTTP content to the minimal set of requirements and to look deeply in the application signature for known bad cues mainly using regular expressions.

 

A class map that matches specific conditions in the HTTP traffic should be defined along with a policy map used to apply the appropriate action: 

table 9-11

 

table 9-11_2

Table 7  – http match commands

 

Let’s say we want to configure an HTTP policy map to allow only GET and POLL requests to be passed to the protected server:

class-map type inspect http match-all MY_HTTP_CLASS

match [not] request method get

match [not] request method poll

policy-map type inspect http http_map_name

parameters

protocol-violation drop-connection log

class MY_HTTP_CLASS

drop-connection log

exit

To match against regular expression, we should use the following table:

table 9-13

table 9-13_2

  table 9-13_3

tble 9-13_4

Table 8 regular expression match commands

For example, let’s suppose we want to filter incoming HTTP traffic and take away any embedded link within the HTTP content:

regex Embedded-link https?://

policy-map type inspect http HTTP_MAP_1

match request args regex Embedded-link

drop-connection

exit

In case of a multiple regular expressions, we could use class map with match-any to apply “OR” operation on the match commands or use match-all to apply AND operation on the match commands:

regex Embedded-link-1 https?://

regex Embedded-link-2 http?://

class-map type regex match-any embedded-link

match regex Embedded-link-1

match regex Embedded-link-2

Applying the HTTP inspection map using the following command:

inspect http http-map-name

Note: The activation command must be applied inside a policy map

 

Ø  Inspecting FTP

Inspecting FTP traffic includes masking the FTP banner, masking reply messages, prevent uploading “exe” files to the server (unless it’s stated in the security policy) and restricting request methods to GET and PUT.

table 9-14

Table 9 -ftp traffic matching commands

policy-map type inspect ftp FTP_MAP_1

parameters

mask-banner

mask-syst-reply

exit

regex FTP_BADNAMES .exe

policy-map type inspect ftp FTP_MAP_1

match not request-command get put help

reset

match filename regex FTP_BADNAMES

inspect ftp  FTP_MAP_1

Note: The commands above create a policy map to inspect FTP. Banner information and system reply information are masked to prevent malicious users from conducting vulnerability assessment using the FTP server information. Also, the commands filters request to the server to only accept GET and PULL requests, as well as preventing EXE file names to be uploaded.

 

Ø  Inspecting DNS traffic

DNS inspection includes applying NAT rules to the DNS packets, randomizing DNS ID values to protect from DNS Spoofing attacks, DNS protocol verification, Guarding DNS connection by closing DNS UDP connection after successful receipt of reply packet.

table 9-16

table 9-17

Table 10  dns inspection commands match

 

policy-map type inspect dns DNS_MAP_1

parameters

protocol-enforcement

dns-guard

id-randomization

nat-rewrite

exit

Note: The ASA has a default DNS inspection policy map called “Preset_DNS_Map,” which limits the size of DNS packets to 512 bytes.

And finally, by understanding part 5-a and 5-b, you’ll be able to configure an ASA Firewall to protect your network infrastructure from DDOS attacks, protect to your DMZ and enforce security policies for internal clients or hosts.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. Good Information

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel