Besides operating as a stateful packet filtering firewall where all sessions are stored in a state table, Cisco ASA appliance can also function as an application firewall. This allows for performing deep packet application inspections based on which network engineers can assign appropriate network policies.
In almost all networks, different types of traffic passing through the Cisco ASA may have different policy requirements.
Typically, VoIP traffic should always get prioritized over the rest to prevent packet losses and delays, while you should check traffic coming from the internet for any sign of malware or other types of malicious content.
Though there are several approaches to applying access controls on network flows, most lack options to fully satisfy the requirements for assigning different network policies to different traffic flows. The only suitable solution is the Modular Policy Framework (MPF) configuration tool, which allows you to deploy desired security policies to specific traffic flows.
In this article, we will provide the following:
Not what you were looking for today? View some of our popular articles:
Access control lists (ACLs) are fundamental access control filtering tools on the Cisco ASA appliance (and other network devices) and are used for many different purposes.
However, as simple-to-configure and beneficial as they are, ACLs are limited configuration-wise and do not support advanced filtering options.
The MPF method, as an advanced configuration tool, does not replace the ACLs used on the Cisco ASA. Instead, it enhances them, which allows you to deploy advanced access control on the network traffic flows going through the firewall independently of the applied ACLs.
Cisco MPF is a very straightforward and easy-to-use method, and its main functionality is simple. It defines traffic flows by describing the network properties on which appropriate actions are applied afterward. To activate the network policies that contain the actions, they must be applied on a specific interface or globally on all ASA interfaces.
Before configuring MPF, you must first define the requirements for which different network policies will be applied to specific traffic flows in a flexible and granular fashion.
When that part is finished, you must classify traffic using class maps. Then, you need to define actions in a policy map that will be applied to the traffic matched by the class maps. Finally, to activate the access controls, you need to apply the policy map by using a service policy.
The main three components that Cisco MPF consists of are:
Inside the class map, you can use single or multiple matching criteria to group certain traffic into a traffic class. Two different types of class maps can be created: a Layer 3/4 class map or Layer 5-7 class map.
To achieve that, you need to create a policy map, reference the desired class maps inside the policy map, and then define the actions for each specific class of traffic.
Just like with the class maps, you can create Layer 3/4 policy maps which define actions that are applied to traffic classes for these layers, and Layer 5-7 policy maps, which define actions that are applied to traffic classes for these specific layers.
Are lead times slowing you down and preventing you from getting the firewall hardware or services you require to protect your data center? Send us a request or connect with our Team in real-time using our chat feature . Know what you want but need help configuring your setup?
Besides using the explicitly configured class maps and policy maps, Cisco ASA also includes a default global policy and a default traffic class.
The default global policy matches all default application inspection traffic or, in other words, all traffic to the default ports for each protocol, and is applied on all Cisco ASA interfaces. Since there is only one global policy, you can either modify the default one based on your requirements or disable it and apply a new one globally on the ASA.
The default traffic class is called Default Inspection Traffic and matches the default inspection traffic. By default, this class map is used in the default global policy and matches the default ports for all inspections.
As a result, Cisco ASA applies the appropriate traffic inspection on the traffic sent to a specific destination port. For example, the ASA applies HTTP inspection on the TCP traffic with a destination port of 80.
To deploy MPF on the Cisco ASA, you need to configure class maps to identify and classify traffic. Then, you need to configure actions in the policy map that will apply to the matched traffic, and finally, you need to apply the policy map by using the service policy.
There is a variety of matching criteria that you can use to identify traffic based on Layer 3 and Layer 4 information in a class map. Such criteria are, among many others:
In the policy map, you need to specify the actions that will apply to the traffic that is classified in each of the class maps. On the Cisco ASA, you can have one global policy map and one policy map per interface.
Some of the actions that you can configure are:
The last step is to apply the policy maps with the service policy feature. When a policy is applied to a specific interface, the classification of traffic and actions apply in both inbound and outbound directions. In contrast, when a policy is applied globally, it operates only in inbound directions for all ASA interfaces.
You need to edit the global policy to apply inspection to nonstandard ports or add inspections that are not enabled by default. Because ICMP stateful inspection is disabled by default, all ICMP traffic sent from inside the network to the outside will be allowed, while the return traffic will be denied.
As you can see in the image above, the pings from the PC inside the network will not get replied back from the server on the internet because the stateful inspection for ICMP is disabled by default.
To fix that, you must change the rule actions in the default global policy and allow ICMP inspection. The following steps achieve that.
policy is used on the Cisco ASA appliance with specific rule actions applied" width="8000" height="4142" />
Once it is enabled, the return ICMP traffic (echo reply packets) will be allowed by the Cisco ASA appliance because of the ICMP session data created in the state table.
Protect your firewall hardware with PivIT's OneCall service. Get coverage tailored to your networks and have complete peace of mind knowing when something happens, it will be handled right away.
The MPF configuration tool plays a crucial role in the ASA appliance.
It simplifies the overall configuration and allows dynamic protocol inspections. In addition, it will enable you to apply different actions on specific traffic flows and tune the overall network behavior based on the enterprise requirements.
Now that you understand the details of MPF, its benefits, and how it is configured, you’ll be better equipped to utilize it in your network.
PivIT Global | PivIT Global exists to do more than just IT.