Simple Modular Policy Framework and application inspection enable us for example inspection of FTP connection. When we use passive mode we need beside opened port 21 as a control channel also any random port as a data channel. Thanks to MPF and traffic inspection ASA knows what is the number of this random port and entire connection is enable. Great!
Ok, but maybe we would like to inspect this traffic more granular? Let’s assume we allowed external user for access to our FTP server. But, do we know what exactly the user is doing on our server? He gets full access through the “tunnel” thanks to enabled port. Advanced Application Inspection enables us inspection at layers 5 to 7 what means for example we may not allow for running particular commands on FTP server.
Advanced Application Inpsection is MPF with Application Inspection plus inspection at layers 5 to 7. What is the difference in syntax between Application Inspection and Advanced Application Inspection ?
When we type “class-map <NAME>” we use Application Inspection and we will be working at layer 3-4
When we type “class-map type /inspect/management/regex/” we use Advanced Application Inspection and we will be working at layers 5-7.
Now let’s go over the labs. For lab simplicity all interfaces have the same security level 0 and command “same–security-traffic permit inter-interface” has been run. There is no NAT , ACLs etc.
In the first lab will be using “FTP Client ” and “FTP server”. Our goal is protecting our server before deleting any files. What do we do in short? Firstly we create AAI (Advanc. Applic. Inspection) class map in which we state what we is interesting for us (match), then we specify the action (reset connection and send to the sysylog), at the end we force FTP inspection based on policy in well know class inspection_default under global_policy policy map (that exists ‘out of the box’).
Let’s see if we can delete files on FTP server :
As we see, we can (check the blue rectangle)
Now let’s apply Advanced Application Inspection
class-map type inspect ftp match-all ftp-inspect-Cmap
match request-command DELE
policy-map type inspect ftp ftp-inspect-Pmap
inspect ftp strict ftp-inspect-Pmap
Now let’s see what happens, after we applied AAI, when we try to delete any file connection to the FTP server is being resetted.
The 2nd lab will be interesting as well. Now we forbid the host “HTTP Client’ with IP address 192.168.0.1 access to “www.itbundle.net“, but access to the other internet sites (“www.acme.com“) will be allowed. First of all I added to the “host” file on “HTTP Client” 2 entries :”10.0.0.1 www.itbundle.net” and “10.0.0.2 www.acme.com”, because it doesn’t have access to DNS server. Now, firstly we have to create ‘regular expression‘, next in access list we mark ‘interesting traffic’ host 192.168.0.1 permitted now will be later rejected ( it is only marking!). Next move is creating AAI that states what string we will be searching in the HTTP header. Now we create ‘standard’ class map with appropriate access list match. In ‘policy map type inspect’ we descibe what we want to do with AAI class map. At the end we create new class in the global_policy polic map with inspection http. We don’t have to use service-policy to place policy-map global_policy because it is placed there already out of the box.
regex ITBUNDLE_DENY “www.itbundle.net”
access-list DENY_HOST_192.168.0.1 extended permit tcp host 192.168.0.1 any eq www
access-list DENY_HOST_192.168.0.1 extended deny ip any any
class-map type inspect http match-all http-inspect-Cmap
match request header host regex ITBUNDLE_DENY
match access-list DENY_HOST_192.168.0.1
policy-map type inspect http http-inspect-Pmap
inspect http http-inspect-Pmap