CISCO ASA Firewall Commands Cheat Sheet [Part 5-B]

Welcome to the latest installment of the CISCO ASA Firewall Commands Cheat Sheet. In this part, we'll explain Packet inspection and filtering on 5-7 OSI layer in addition to ICMP inspection. This part depends on the previous part to be easily understood.Let's begin... Configuring ICMP Inspection policy-map global_policyclass inspection_defaultinspect icmpinspect icmp errorexit

 

Note: The ICMP inspection feature is enabled when an access list, which permits incoming ping requests, is enabled. ICMP inspection used to only allow one response per ICMP request and inspect ICMP packets for invalid sequence numbers. Configuring Inspection for 5-7 OSI Layer Traffic

Ø Inspecting HTTP

HTTP inspection policy is implemented to examine and analyze traffic destined to protected servers or clients. It’s main core is to minimize HTTP content to the minimal set of requirements and to look deeply in the application signature for known bad cues mainly using regular expressions. 

A class map that matches specific conditions in the HTTP traffic should be defined along with a policy map used to apply the appropriate action: 

 

Table 7  - http match commands

 

Let’s say we want to configure an HTTP policy map to allow only GET and POLL requests to be passed to the protected server:

class-map type inspect http match-all MY_HTTP_CLASS

match [not] request method get

match [not] request method poll

policy-map type inspect http http_map_name

parameters

protocol-violation drop-connection log

class MY_HTTP_CLASS

drop-connection log

exit

To match against regular expression, we should use the following table:

 

Table 8 regular expression match commands

For example, let’s suppose we want to filter incoming HTTP traffic and take away any embedded link within the HTTP content:

regex Embedded-link https?://

policy-map type inspect http HTTP_MAP_1

match request args regex Embedded-link

drop-connection

exit

In case of a multiple regular expressions, we could use class map with match-any to apply "OR" operation on the match commands or use match-all to apply AND operation on the match commands:

regex Embedded-link-1 https?://

regex Embedded-link-2 http?://

class-map type regex match-any embedded-link

match regex Embedded-link-1

match regex Embedded-link-2

Applying the HTTP inspection map using the following command:

inspect http http-map-name

Note: The activation command must be applied inside a policy map

 

Ø  Inspecting FTP

Inspecting FTP traffic includes masking the FTP banner, masking reply messages, prevent uploading “exe” files to the server (unless it’s stated in the security policy) and restricting request methods to GET and PUT.

Table 9 -ftp traffic matching commands

policy-map type inspect ftp FTP_MAP_1

parameters

mask-banner

mask-syst-reply

exit

regex FTP_BADNAMES .exe

policy-map type inspect ftp FTP_MAP_1

match not request-command get put help

reset

match filename regex FTP_BADNAMES

inspect ftp  FTP_MAP_1

Note: The commands above create a policy map to inspect FTP. Banner information and system reply information are masked to prevent malicious users from conducting vulnerability assessment using the FTP server information. Also, the commands filters request to the server to only accept GET and PULL requests, as well as preventing EXE file names to be uploaded.

 

Ø  Inspecting DNS traffic

DNS inspection includes applying NAT rules to the DNS packets, randomizing DNS ID values to protect from DNS Spoofing attacks, DNS protocol verification, Guarding DNS connection by closing DNS UDP connection after successful receipt of reply packet.

Table 10  dns inspection commands match

 

policy-map type inspect dns DNS_MAP_1

parameters

protocol-enforcement

dns-guard

id-randomization

nat-rewrite

exit

Note: The ASA has a default DNS inspection policy map called “Preset_DNS_Map,” which limits the size of DNS packets to 512 bytes.

And finally, by understanding part 5-a and 5-b, you'll be able to configure an ASA Firewall to protect your network infrastructure from DDOS attacks, protect to your DMZ and enforce security policies for internal clients or hosts.