Selective Inspection

As previously mentioned, the match command allows you to specify what traffic the Cisco ASA inspection engine will process. It can be used in conjunction with an ACL to determine what traffic will be inspected. Example 8-3 shows all the supported options for traffic classification in a class map named UDPclass.

Example 8-3. Supported Traffic Classification Options

Chicago(config)# class-map UDPclass

Chicago(config-cmap)# match ?

mpf-class-map mode commands/options:

  access-list                 Match an Access List

  any                         Match any packet

  default-inspection-traffic  Match default inspection traffic:

                              ctiqbe----tcp--2748      dns-------udp--53

                              ftp-------tcp--21        gtp-------udp--2123,3386

                              h323-h225-tcp--1720      h323-ras--udp--1718-1719

                              http------tcp--80        icmp------icmp

                              ils-------tcp--389       mgcp------udp--2427,2727

                              netbios---udp--137–138   rpc-------udp--111

                              rsh-------tcp--514       rtsp------tcp--554

                              sip-------tcp--5060      sip-------udp--5060

                              skinny----tcp--2000      smtp------tcp--25

                              sqlnet----tcp--1521      tftp------udp--69

                              xdmcp-----udp--177

 dscp                         Match IP DSCP (DiffServ CodePoints)

 flow                         Flow based Policy

 port                         Match TCP/UDP port(s)

 precedence                   Match IP precedence

 rtp                          Match RTP port numbers

 tunnel-group                 Match a Tunnel Group

Table 8-2 lists briefly describes all the options supported by the match command.

Table 8-2. match Subcommand Options

Option	Description
access-list	Specifies an ACL used to match or classify the traffic to be inspected.
any	Any IP traffic.
default-inspection-traffic	The default entry for inspection of the supported protocols. This match applies only to the inspect command. It cannot be associated with any action commands but inspect.
dscp	Matches based on IP DSCP (DiffServ CodePoints).
flow	Used for flow-based policy.
port	Used to match TCP and/or UDP ports.
precedence	Matches based on IP Precedence value represented by the TOS byte in the IP header. The precedence value can be in a range from 0 to 7.
rtp	Matches Real Time Protocol (RTP) port numbers.
tunnel-group	Matches VPN traffic of a specific tunnel group.

To display statistics on the traffic being inspected on the Cisco ASA, use the show service-policy command. Example 8-4 shows the output of this command.

Example 8-4. Output of show service-policy Command

Chicago# show service-policy

Global policy:

  Service-policy: global_policy

    Class-map: inspection_default

      Inspect: dns maximum-length 512, packet 0, drop 0, reset-drop 0

      Inspect: ftp, packet 24, drop 0, reset-drop 0

      Inspect: h323 h225, packet 0, drop 0, reset-drop 0

      Inspect: h323 ras, packet 0, drop 0, reset-drop 0

      Inspect: netbios, packet 10, drop 0, reset-drop 0

      Inspect: rsh, packet 0, drop 0, reset-drop 0

      Inspect: rtsp, packet 0, drop 0, reset-drop 0

      Inspect: skinny, packet 0, drop 0, reset-drop 0

      Inspect: esmtp, packet 54, drop 0, reset-drop 0

      Inspect: sqlnet, packet 0, drop 0, reset-drop 0

      Inspect: sunrpc, packet 0, drop 0, reset-drop 0

      Inspect: tftp, packet 0, drop 0, reset-drop 0

      Inspect: sip, packet 0, drop 0, reset-drop 0

      Inspect: xdmcp, packet 0, drop 0, reset-drop 0

The following sections include information about each application inspection protocol supported on Cisco ASA.