CCIE Security Advanced Technologies Class - ASA Advanced Application Inspection with MPF

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	the next thing we're going to look at for the asa is how do we do the application level inspections
0:00:19	so the inspections that are specific to web browsing, dns or ftp
0:00:24	where we were using layer 7 class maps
0:00:28	which are the class maps i inspect
0:00:30	and in the layer 7 policy maps which are the
0:00:32	policy map type inspects
0:00:35	now in order to
0:00:36	show exactaly how it works
0:00:38	again we're going to use the
0:00:39	the acs server as our
0:00:42	web client, this is going to our web browser
0:00:44	and we
0:00:50	now based on
0:00:51	different parameters that we can define that
0:00:54	what's the domain name
0:00:55	that the user trying to reach
0:00:57	what is the particular url that is trying to reach
0:01:00	we can't configure the asa to perform different action
0:01:03	whether they be to log the traffic
0:01:06	to drop the traffic to reset the session
0:01:08	with the configure it
0:01:10	to perform whatever action we want
0:01:11	as long as we match the regular expression
0:01:15	and that's really where the difficulty comes in this config
0:01:18	is to figure out how the syntax out of it
0:01:23	so before we get our example let us look what are some of the defaults
0:01:27	that the asa is actually using
0:01:30	so again if we look at the show run
0:01:33	all policy map
0:01:36	we could see that we have these policy type map inspects
0:01:40	and these are the layer 7 or application policies
0:01:45	where in this particular case this is for dns
0:01:48	the map of the map is pre-set _dns map
0:01:52	so this is one that is built in
0:01:54	sets specifically for dns
0:01:57	I'm going to make sure that the message length
0:02:00	is max of 512
0:02:04	now whether this is bytes or characters
0:02:06	could depend on the individual application
0:02:09	you will need to que like the command reference to see exactly what the values we are talking about
0:02:14	its also saying we r going to map rewrite
0:02:18	which is used any time we are doing any nap translation
0:02:22	and we have potential issue where may be the dns server is on the inside
0:02:27	and its giving us a resolution to the
0:02:29	private address instead of the public address
0:02:32	or the other way around
0:02:35	so the asa can know based on the nap translation
0:02:38	or you supposed to have the inside local address
0:02:42	pay load of dns
0:02:43	or you supposed to have inside global
0:02:47	which is the public address that you are being
0:02:49	you are transmitting to
0:02:53	now the rest of these are not configured any of the other
0:02:56	policy maps if we go to global config
0:02:59	and say
0:03:01	actually there are other ones, let look at the details
0:03:04	there was a dns 1
0:03:07	this one is for
0:03:09	male esmtp
0:03:11	this is for send mail
0:03:14	say match command line
0:03:17	length greater than 512
0:03:21	which means that if we were tying to do some sort of
0:03:24	essentially male form attack that the buffer overflow against the main server
0:03:28	this is going to drop the connection
0:03:31	this says if the recipient count
0:03:34	is greater than 100
0:03:36	so it needs in the to field the mail message if your more than 100 address
0:03:40	its going to drop that
0:03:43	so you could see a lot of these are very specific to the individual application
0:03:46	if you didn't' know how send mail works in an application level
0:03:50	then you are not going to understand what this inspection means
0:03:53	so we actually implement this
0:03:57	we will need to spend a lot of time reading through the documentation
0:03:59	to see how the different applications are working
0:04:05	the other thing we can do look at show run all
0:04:09	class map
0:04:13	we could see that its calling a bunch of regular expressions
0:04:17	we will look at the show run all regex
0:04:21	we could see some of the strings
0:04:24	that the firewall is trying to match by default
0:04:29	so i like mention before you could use msn messenger
0:04:33	some where in the application header
0:04:35	is this string its application / x/machine
0:04:40	so if i want to prevent it from using it
0:04:43	then i could match regex and say reset the session or to drop the sesssion
0:04:50	now as to scope that this would be covered
0:04:52	within the ccie security lab exam
0:04:54	they are not going to expect to be expert in this
0:04:57	as long you can use these default commands
0:05:01	to together a policy
0:05:03	or when you look at the documentation
0:05:06	if you go to
0:05:07	the asa configuration
0:05:10	then to the application level inspections
0:05:14	you can see some of the examples of exactly they do this
0:05:49	so here we have an example that say that
0:05:51	the following example shows how to find the http inspection policy
0:05:55	that allows you to log any connections attempts that access www.xyz
0:06:01	/ asp
0:06:03	or xyz 039039.com with get input methods
0:06:09	so you potentially could take these examples and then get it around
0:06:13	for what ever you need to use
0:06:15	but otherwise if you are doing this in production
0:06:18	there is reference documents that they have how to build these policies
0:06:22	so if you search for
0:06:24	like url filtering with mpf
0:06:29	and asa
0:06:31	there's lot of documents on cisco's website that going to-say you want to filter
0:06:37	lets say like domain filtering
0:06:43	combating botnets using the cisco asa botnet filter or
0:06:50	which will be the domain filter
0:07:03	there is one here specifically shows here some examples of it
0:07:06	where you would find these if your doing the manual browsing
0:07:09	is going to under support where you go to the main documentation page
0:07:13	so support configure
0:07:15	whether its going to under the technology documentation and not the product documentation
0:07:21	so if we go to technology security
0:07:23	and then for firewall filtering
0:07:26	you see examples under there
0:07:28	where in the issue with this that these tech tips
0:07:32	that you Will not have access to these in the
0:07:35	ccie security lab exam
0:07:38	if you are doing a real implementation of this then you just extensively check through the documentation
0:07:44	OK so lets look at an actual example of this
0:07:47	what i want to do
0:07:48	is to
0:07:50	filter web traffic
0:07:53	that's going from the
0:07:54	the windows client here
0:07:59	and i want to filter it based on
0:08:01	a particular domains
0:08:03	so some address that i want them to not be able to go to or other ones are going to be allowed
0:08:07	now when you do this with the asa
0:08:09	there is a limitations that how you can get
0:08:13	because let say i want to prevent someone to go to youtube
0:08:17	well the problem is if they there just to go to command line
0:08:22	and figure out what the actual ip address of the server
0:08:25	then the url filter is not going the catch that
0:08:27	so you have to use sort of external filtering like web sense
0:08:31	that's going to be able to
0:08:33	to do more content level filtering
0:08:35	but you can atleast for
0:08:39	for the average user you will able prevent them from doing
0:08:41	some basic stuff by using the asa
0:08:45	now to simplify the configuration a little bit what i m going to do
0:08:49	is configure router 2 as a dns server
0:08:52	i say ipbns server
0:08:55	and then do some dns entrance
0:08:58	like the ip post
0:08:59	www.
0:09:02	youtube.com
0:09:04	lets say is
0:09:06	my local address
0:09:08	and the same for
0:09:13	rediff.com
0:09:16	the ip host
0:09:18	cisco.com is 200.0.0.2
0:09:20	so i want to prevent them from getting to the 2 routers
0:09:24	but im going to allow them to the 3rd
0:09:27	now on the
0:09:28	triple aaa server
0:09:30	what i have set up
0:09:32	is
0:09:37	its pointing to router 2 as the dns server
0:09:41	so since
0:09:42	dns is already going to be inspected on the asa
0:09:46	there should be no problem with me using the router 2
0:09:48	for these resolutions
0:09:50	so if i were to ping www.
0:09:53	youtube.com
0:09:55	we could see this result to 200.0.02
0:09:58	if i were to ping cisco.com
0:10:02	same thing is resulting to that address
0:10:05	if i were to browse to these
0:10:07	we should end on the
0:10:10	web interface of router 2
0:10:19	so if run some commands we can see the router string
0:10:23	it thinks this is cisco.com based on those dns resolutions
0:10:27	so now i want to configure the asa to actually
0:10:30	check for this traffic as its leaving
0:10:32	so in order to do this
0:10:34	i need to configure in regular expression
0:10:37	that is first going to match those strings
0:10:41	now there is two different ways i could do this
0:10:43	i could create individual regular expressions
0:10:47	and then match them
0:10:52	or i could configure
0:10:55	the regular expressions and group together inside a class
0:10:59	now the 2nd option is a little bit more modular
0:11:02	because if i want make changes later
0:11:04	the only thing i need to do is
0:11:06	add additions to the regular expressions to regex class
0:11:10	and then is inherent effect
0:11:12	all of the possible filters that are reference
0:11:18	so you could technically do it either way just depends on how modular you want to make the coding
0:11:21	so first thing im going to start with the regex
0:11:25	we will say
0:11:26	i have a regular expression
0:11:29	i will say that this is called the youtube that's its name
0:11:33	the actual string I'm going to match
0:11:36	lets just say
0:11:38	youtube.com
0:11:41	now remember the dot in a regex a special character is any
0:11:47	single character
0:11:48	so i need to escape this with a back slash
0:11:52	this would then inherently
0:11:54	automatically match www.youtube.com
0:11:59	whatever other sub-domains they have www1, ftp.youtube.com its going to match all of them
0:12:04	now you can actually test this
0:12:07	if you say test regex
0:12:11	specify the test to be matched against
0:12:14	the strings lets say www.youtube.com
0:12:19	and im going to test it against
0:12:22	this particular regex this one i created
0:12:27	see the match did succeed
0:12:28	get my syntax is right
0:12:30	now if i were to say
0:12:33	if they enter this
0:12:34	that's not going to match
0:12:36	but if they enter other sub-domain
0:12:40	www1
0:12:41	this is going to match as well
0:12:43	because im not matching anything before that
0:12:47	so anything before the quotes or after the quotes that's implisively going to be matched
0:12:52	then on the regex that is matching
0:12:55	reg we will say
0:12:58	rediff
0:13:00	/.com
0:13:02	yes i need to escape the dot
0:13:05	so now i know what the particular strings that im trying to match
0:13:09	next thing i need to do im going to group these together on a class map
0:13:13	this particular class map
0:13:15	is going to be of a different type
0:13:18	its specifically to group regular expressions together
0:13:23	we will match any of them i will say this is the
0:13:27	lets say blocked
0:13:29	blocked domains
0:13:32	regex class
0:13:34	so the naming conventions itself doesn't matter
0:13:37	of probably want to use something that is describptive
0:13:40	so when you are looking at the config
0:13:42	you can actually piece together what you are trying to accomplish
0:13:45	when you are doing this to begin them
0:13:48	so this is the class it is called the regex
0:13:51	so from in here we will say
0:13:53	we want to match
0:13:57	the regex
0:13:58	and i have one that called youtube
0:14:02	and one that is called reditt
0:14:06	now i can group them together
0:14:08	next thing i need to do
0:14:10	is the class map that is type inspect
0:14:13	to tell her to actually look
0:14:15	inside the http header
0:14:17	and look for these regular expressions
0:14:20	so this is where we are calling the application level class map or the layer 7 class map
0:14:26	or say class map type
0:14:29	inspect
0:14:31	this is specifically for an http inspection
0:14:35	so each of the individual you are going to have differnt syntax forming
0:14:37	actually to look at the documentation to figure out how
0:14:40	the ftp one works different then http
0:14:45	i will say this is my
0:14:47	blocked domains class
0:14:53	now you need to figure what portion
0:14:56	of the http application do i need to match
0:15:00	now in this particular case it would be
0:15:03	the client sending a request to the server
0:15:06	so the request
0:15:09	is going to have in the
0:15:13	the host field
0:15:14	or the in the header
0:15:16	the header
0:15:20	and yu could see all the different types of
0:15:23	headers that http supports
0:15:25	but specifically i want to know whats the host
0:15:30	the host is then going to
0:15:33	a match my
0:15:35	regex
0:15:39	and i could specifically match her right here
0:15:42	but im going to call the class
0:15:45	so the
0:15:46	lets say show run
0:15:50	class map
0:15:54	this is the blocked domain regex class
0:15:59	is now is the traffic classfied
0:16:02	now i need to figure out what im actually going to do with it
0:16:04	this is where the policy map of the type inspect is coming in
0:16:09	so if the traffic matches this regex
0:16:11	what do i actually do it do i generate a log message
0:16:14	do drop the traffic do i just allow it through
0:16:17	this is what our
0:16:19	policy map type inspect
0:16:21	is going to do
0:16:24	now this policy map again is for http
0:16:29	because the actions that i take are going to be different depending on
0:16:32	what is the individual application
0:16:36	and i call this my http
0:16:39	inspect
0:16:42	policy
0:16:43	now im not call this one
0:16:46	my blog domains inpection policy or something like that
0:16:50	because the actual policy itself is modular
0:16:54	that i can now create new
0:16:56	class maps of type inspects later
0:16:59	that i can do other types of inspection map
0:17:02	so may be want to match on the
0:17:05	the specific syntax in or out
0:17:07	or may be i want to match on the http method
0:17:10	to make sure that no one can upload a file so they cannot use http post
0:17:15	so this is just a generic
0:17:16	inspection class
0:17:18	excuse me, inspection policy
0:17:21	and i need to call the actual class
0:17:24	where in case i called it blocked
0:17:26	domains class
0:17:31	so now i know what the traffic is what im going to do with it
0:17:35	im going to
0:17:37	reset the session
0:17:38	it could also drop it
0:17:41	reset a session just generate a log
0:17:43	because i want to see on the command line is this actally working
0:17:47	now could say log to start to see to see if its matching
0:17:50	but reset i should see
0:17:52	both from the windows client
0:17:54	that the web browsing session doesn't go through
0:17:57	and then also from the asa that going to generate a log
0:18:03	now this where the syntax gets a little bit more complicated
0:18:07	because we have the regular expressions
0:18:10	that are called from the regex class
0:18:14	the regex class
0:18:16	is now called from the
0:18:18	class map type inspect
0:18:20	class map type inspect is called from policy map type inspect
0:18:24	so now i need to tell
0:18:26	the mpf to actually to use this policy
0:18:30	for the web traffic
0:18:32	because i dont' have applied it anywhere in the service policy
0:18:35	now the issue is
0:18:37	that this policy map type inspect
0:18:40	i cannot apply it
0:18:42	directly on to the interface
0:18:45	it needs to be called from a normal policy map
0:18:49	that is in turn using
0:18:51	the inspection policy are in normal class
0:18:56	so now what i need to do
0:18:58	is to tell that what particular layer 3 or layer 4 traffic
0:19:03	am i actually going to this onto
0:19:06	so i need to something that going to match tcp port ad
0:19:08	or whatever is the actual application
0:19:11	flow
0:19:13	the layer 3 layer 4 flow that im trying to match
0:19:15	so this a regular class map
0:19:18	this would my http class
0:19:20	that says match the port no.
0:19:23	that equal to av so its tcp packet that going to port av
0:19:28	and remember this inspection is bidirectional
0:19:30	so you don't have to worry about the source port or destination port
0:19:35	and now look at the show run
0:19:41	i already have a policy configure for dmz in
0:19:46	if we show run
0:19:48	policy map dmz in
0:19:52	it says like have on the aaa server
0:19:54	im setting them to have a max no. of
0:19:57	connections to be 3
0:19:59	so now if i go to this policy
0:20:03	and im going to do a new inspection that is based
0:20:06	on class http class
0:20:09	so im going to inspect
0:20:11	http
0:20:13	that im going to inspect it with this new
0:20:15	type of policy
0:20:18	so this what is the final step what is being tied together
0:20:20	this is with the
0:20:24	http inspect policy
0:20:30	so now lets look at the full policy show
0:20:32	show run policy map dmz_in
0:20:36	so this is now doing two seperate things
0:20:38	it says if you are the triple a server
0:20:41	im limiting here connections to
0:20:43	3 at a time
0:20:46	also if it is web traffic
0:20:48	i m using a specific inspection policy
0:20:51	that is
0:20:54	policy map type inspect
0:20:57	http inspect policy
0:21:07	http policy
0:21:10	if it says that if
0:21:12	the traffic is matched by the blocked domains
0:21:14	class we are going to reset it and we are going to log it
0:21:17	then if i said show run
0:21:23	class map
0:21:24	this says match either of these regex's
0:21:30	next lets look at the show
0:21:32	service policy interface
0:21:34	dmz
0:21:37	now if this policy is working
0:21:39	what if should see is that atleast this packet counter is going to go up
0:21:44	additionally we turn logging on
0:21:47	lets log at the console
0:21:50	and we don't necessarily log at level 7 lets say we are going to log at
0:21:54	5
0:21:56	so i need all the detail debugs
0:22:00	but now from the triple a server
0:22:04	lets actually try this out
0:22:12	if we now go to
0:22:14	youtube.com
0:22:17	we can see its being reset
0:22:20	the http match did occur
0:22:26	the header matched to reset the connection
0:22:30	now does not mean we know
0:22:32	that i would be prevented
0:22:35	from a pinging this address
0:22:38	so if i were to say
0:22:39	ping www.
0:22:42	youtube.com
0:22:44	that fine
0:22:46	because this is not a web flow
0:22:48	likewise if i were to telnet
0:22:53	this is not being filtered
0:22:55	because it didn't match port 80 which is what i specified in the http class
0:23:01	now additionally this is what gets even tricker
0:23:04	what i didn't take into account
0:23:07	was what if the
0:23:09	the url is case sensitive
0:23:12	what if i said youtube with a capital E
0:23:19	lets try, lets say
0:23:27	capital
0:23:28	YOUtube.com
0:23:33	now in this particular case it looks like internet explorer is not taking it is case sensitive
0:23:39	so it is matching
0:23:40	but if you had another case where
0:23:45	the case does matter of the domain
0:23:48	then it not going to match it in all cases
0:23:52	so really what i need to do
0:23:55	is make it closer to their examples that if i said show run all regex
0:24:01	i will make it look like this
0:24:05	where the one im using now
0:24:11	this one here reditt or youtube
0:24:13	i will need to change these
0:24:27	i will need to change these so it looks more like this
0:24:30	lower case y capital Y
0:24:32	lower case o capital O
0:24:35	and do this for every possible combination
0:24:39	now where you also see this use
0:24:41	is the signatures on the ips
0:24:44	so when we get into the advanced examples of doing
0:24:48	custom signatures or modifying the signatures that are there
0:24:51	you will that the ips syntax uses the same type of regular expressions
0:24:55	and you can also use that as a reference
0:24:59	where generally the asa is easier to do this because we can just say
0:25:03	show run all regex, show run all classmap, show runall policy map
0:25:09	lets look at one more variation of this so we
0:25:12	we show we can match the
0:25:14	the domain
0:25:15	lets say we want to match the
0:25:17	so i want to additonal
0:25:19	additional matches under the same
0:25:21	policy that i have already applied
0:25:25	now what i will not need to change now
0:25:28	if we show run
0:25:30	policy map dmz
0:25:33	dmz in
0:25:35	i will not to need to change any of this
0:25:39	the only thing i will need to change is
0:25:41	when we show run
0:25:44	policy map
0:25:46	type inspect http
0:25:49	this policy
0:25:51	the only thing i need to do
0:25:52	is create a new
0:25:54	class map type inspect
0:25:57	call it from in this policy
0:25:59	and take the particualar actions that i want
0:26:03	so one the basic
0:26:05	formation of the policy is staged
0:26:08	then it makes it little bit easier to add it later
0:26:10	the problem is when initially piecing all the syntax together
0:26:14	so lot a need to do to point one class to another
0:26:17	to call from the policy from the class and the class from the policy so gets a kind of
0:26:24	ok lets say now we want to do
0:26:27	the same type of filtering but we are going to do based on the
0:26:30	the url
0:26:32	one way you could test these out
0:26:34	is to use the
0:26:38	the management interface of the router
0:26:40	so if i say
0:26:43	cisco.com i have result to router 2's address before
0:26:48	from this web interface if you run a command so lets say
0:26:53	i want to monitor router
0:26:55	which means i can run commands
0:26:58	lets say
0:26:59	show ip route
0:27:03	if its returning routing table on router 2
0:27:06	now the way its actually doing this
0:27:08	as you can see that you are out here
0:27:11	its taking this string
0:27:13	and its running it
0:27:16	after exact
0:27:21	so if i were to say
0:27:24	this
0:27:29	actually where the
0:27:34	this syntax
0:27:35	so whatever add to end here
0:27:38	these are the commands that im trying to run
0:27:41	so show ip route lets say show ip
0:27:47	int/ brief
0:27:50	that's going to show ip interface brief
0:27:52	so im going to check the policy
0:27:55	that im finding im going to check it against this
0:27:59	im going to look for these commands
0:28:02	so i can test if i can
0:28:04	lets say i don't i able to say show ip route
0:28:08	if i show ip and it does not work
0:28:10	but i show ip interface and it does work
0:28:13	then i know that your outstring is actually matching
0:28:16	now we could also blog it to the asa's console and see if it is actually going to match
0:28:20	so lets say that we going to use this
0:28:23	as our
0:28:25	our regex, we will say show ip
0:28:28	/ route
0:28:30	if i did another regex this is going to be
0:28:33	show
0:28:35	show ip
0:28:37	route regex
0:28:40	is this exact string
0:28:43	this is going to call now from the class
0:28:56	we now need a new class map type inspect
0:28:59	its for http inspections
0:29:03	lets say
0:29:04	show ip route
0:29:08	show ip route class
0:29:13	now from in here
0:29:15	i need to match the
0:29:17	in the request
0:29:19	i need to match the uri
0:29:22	uri is where the actual url string is exchanged in the http header
0:29:27	so its again its the client going to the server so its a request
0:29:33	match request
0:29:36	the uri this is where the url string is
0:29:40	i want to match it against the regex
0:29:43	that is
0:29:45	this one show ip route regex
0:29:48	now i could also do multiple matches here
0:29:51	like i could say match request
0:29:55	method
0:29:59	in an http get this would be the normal
0:30:02	downloading a page
0:30:04	if i said
0:30:05	match http host again this would be if i want to uploading a file
0:30:10	may be i want to disallow them from able to do that
0:30:12	or make a directory
0:30:15	or to move a file
0:30:16	so i could irradiacally create a class
0:30:19	that says
0:30:21	class map type inspect http
0:30:23	disallowed http commands
0:30:26	and say match request method host match request method put etc.
0:30:33	maybe im matching that url
0:30:37	so now i have the class
0:30:39	i already have the policy configured
0:30:41	the only thing i need to do now is class this policy fro the class i already created
0:30:46	so if we show run
0:30:48	policy map
0:30:51	its going to be from inside this
0:30:53	inspection policy
0:30:57	and the class
0:30:59	i called it
0:31:01	show ip route class
0:31:04	i will say for this class
0:31:06	if it matches
0:31:08	i want to do the same thing before im going to
0:31:10	reset it
0:31:13	and im going to log
0:31:22	so now lets see if this is actually going to
0:31:27	to get that
0:31:29	so from here i should be able to run
0:31:31	that show ip interface brief that should be fine
0:31:36	if i said show
0:31:41	say i p 7
0:31:44	if we see we get the output thats fine
0:31:48	now lets try show i p
0:31:50	route
0:31:53	says that your i match the string
0:31:55	because the page was denied now
0:31:59	and its resending the connection
0:32:03	but i if again try it to lets give it a capital R
0:32:07	see that i can surround it
0:32:10	so when you do this regex 's
0:32:12	you have to be very particular
0:32:14	as what we're going to try to match
0:32:17	so for any advanced users
0:32:19	power user advancially we will be able to figure out how to get around these type of filters
0:32:23	but atleast its good
0:32:25	first level protection for things that wer trying to
0:32:27	to filter out
0:32:32	so lets look at our full
0:32:34	final configuration for this
0:32:58	so first we have our
0:33:00	classes actually first we have our regualar expressions
0:33:14	the way the expression is being called from the regex class
0:33:23	we have the inspect class
0:33:26	two different inspect classes
0:33:32	we have the policy may type inspect
0:33:37	then the dmz policy
0:33:44	then unless its being applied
0:33:45	so lets say for these configurations the two seperate things they are doing
0:33:49	here the first one is
0:33:51	the show ip route regular expression
0:34:00	this is creating the
0:34:01	the regex
0:34:04	the regex is then referenced from the
0:34:07	class map
0:34:10	the class map is then called from the
0:34:13	policy map
0:34:16	this says what we are doing to do with it what we're
0:34:20	resetting it or logging it
0:34:23	then we're
0:34:26	classifying the web traffic
0:34:31	then inside the regular policy
0:34:36	we're inspecting it
0:34:40	and the policy gets applied
0:34:46	so for this portion this would be the full config for it
0:34:51	for the 2nd one its similar
0:34:53	except the regular expressions are called from the regex class
0:34:57	the regex class is then called from the class map inspect
0:35:02	class map inspect is called from the policy map inspect
0:35:06	and the policy map inspect is
0:35:09	applied here

Now Viewing

CCIE Security Advanced Technologies Class
Title:	CCIE Security Advanced Technologies Class
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$299.00	Add to Cart

ASA Advanced Application Inspection with MPF

Create Bookmark