class-map---->policy-map---->service-policy
class-map
:匹配流量、匹配优先级的标记
....
·
access-list
·
any
·
default-inspection-traffic
·
dscp
·
flow(
目标
IP
地址
)
·
port
·
precedence
·
rtp(RTP
端口号
)
·
tunnel-group
policy-map
:做策略
service-policy
:应用
匹配的流量调整
TCP
选项
ciscoasa(config)# tcp-map tcpmap
ciscoasa(config-tcp-map)# ?
TCP-map configuration commands:
check-retransmission Check retransmit data, disabled by default
checksum-verification Verify TCP checksum, disabled by default
default Set a command to its defaults
exceed-mss Packet that exceed the Maximum Segment Size set by
peer, default is to drop packet
queue-limit Maximum out-of-order packets queued for a connection,
default is 0 packets
reserved-bits Reserved bits in TCP header are set, default is to
allow packet
syn-data TCP SYN packets that contain data, default is to
allow packet
tcp-options Options in TCP header
ttl-evasion-protection Protection against time to live (TTL) attacks,
enabled by default
urgent-flag Urgent flag and urgent offset set, default is to
clear flag and offset
window-variation Unexpected window size variation, default is to allow
connection
------------------------------------------------
案例
------------------------------------------------
tcp-map
tcpmap
tcp-options range 6 7 allow
tcp-options range 9 255 allow
access-list
myacl extended permit tcp any any
class-map
classmap
match access-list myacl
policy-map
mypolicy
class classmap
set connection advanced-options tcpmap
service-policy
mypolicy interface inside
TCP
头部中的序列号字段。
PIX 6.x
不会修改或清除
(
clear
)
该选项位
,
完全可以正常工作。但是在
ASA 7.x
之后,防火墙默认情况下会将该选项位清除掉,某些通信会失败。
ciscoasa(config-pmap-c)# ips ?
mpf-policy-map-class mode commands/options:
inline Inline mode IPS
//
匹配流量流到
AIP
,
检测处理完再送回防火墙
promiscuous Promiscuous mode IPS
//
复制已匹配数据包
,
送往
AIP
检测
,
原数据包仍然由防火墙处理
ciscoasa(config-pmap-c)# ips inline fail-open
//Permit traffic if IPS card fails
ciscoasa(config-pmap-c)# csc fail-open
WARNING: CSC can ONLY scan TCP traffic that is destined to port 80 (HTTP), 25 (SMTP), 110 (POP3), or 21 (FTP) when configured. Any other type of traffic, even if configured, will not be scanned.