ASA防火墙10 定义安全策略

 

class-map---->policy-map---->service-policy

 

class-map ：匹配流量、匹配优先级的标记 ....

·    access-list

·    any

·    default-inspection-traffic

·    dscp

·    flow( 目标 IP 地址 )

·    port

·    precedence

·    rtp(RTP 端口号 )

·    tunnel-group

policy-map ：做策略

service-policy ：应用

 

 

 

 

 

匹配的流量调整 TCP 选项

ciscoasa(config)# tcp-map tcpmap

ciscoasa(config-tcp-map)# ?

TCP-map configuration commands:

 check-retransmission    Check retransmit data, disabled by default

 checksum-verification   Verify TCP checksum, disabled by default

 default                 Set a command to its defaults

 exceed-mss              Packet that exceed the Maximum Segment Size set by

                          peer, default is to drop packet

 queue-limit             Maximum out-of-order packets queued for a connection,

                          default is 0 packets

 reserved-bits           Reserved bits in TCP header are set, default is to

                          allow packet

 syn-data                TCP SYN packets that contain data, default is to

                          allow packet

 tcp-options             Options in TCP header

 ttl-evasion-protection Protection against time to live (TTL) attacks,

                          enabled by default

 urgent-flag             Urgent flag and urgent offset set, default is to

                          clear flag and offset

 window-variation        Unexpected window size variation, default is to allow

                          connection

 

 

------------------------------------------------ 案例 ------------------------------------------------

tcp-map tcpmap

 tcp-options range 6 7 allow

 tcp-options range 9 255 allow

access-list myacl extended permit tcp any any

class-map classmap

 match access-list myacl

policy-map mypolicy

 class classmap

   set connection advanced-options tcpmap   

service-policy mypolicy interface inside

 

 

TCP 头部中的序列号字段。 PIX 6.x 不会修改或清除 （ clear ） 该选项位 ， 完全可以正常工作。但是在 ASA 7.x 之后，防火墙默认情况下会将该选项位清除掉，某些通信会失败。

ciscoasa(config-pmap-c)# ips ?

mpf-policy-map-class mode commands/options:

 inline       Inline mode IPS       // 匹配流量流到 AIP ， 检测处理完再送回防火墙

 promiscuous Promiscuous mode IPS  // 复制已匹配数据包 ， 送往 AIP 检测 ， 原数据包仍然由防火墙处理

ciscoasa(config-pmap-c)# ips inline fail-open  //Permit traffic if IPS card fails

ciscoasa(config-pmap-c)# csc fail-open

WARNING: CSC can ONLY scan TCP traffic that is destined to port 80 (HTTP), 25 (SMTP), 110 (POP3), or 21 (FTP) when configured. Any other type of traffic, even if configured, will not be scanned.

 

 

 

 

 

转载于:https://blog.51cto.com/nppstudy/725918