有一些协议的协商需要动态的打开一个连接,动态的改变源目地址端口.这时防火墙需要对这些包进行监控,从而打开这些端口号,允许这些流量穿越防火墙,防火墙处理nat/pat做地址转换,对包重新封装.阻止一些非法的流量.

fw1(config)#class-map inspection default

default protocol监控策略

class map

class-map inspection_default

match default-inspection-traffic

policy map

policy-map global_policy

class inspection_default

inspect dns maximum length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect sunroc

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

service policy

service-policy global_policy global

添加删除

fw1(config)#policy-map global_policy

fw1(config-pmap)#class inspection default

fw1(config-pmap-c)#no inspect ctiqbe

添加新端口号http

fw1(config)#class-map 8080_inspect_traffic

fw1(config-ftp-map)#match port tcp eq 8080

fw1(config-ftp-map)#exit

fw1(config)#policy-map global_policy

fw1(config-pmap)#class 8080_inspect_traffic

fw1(config-pmap-c)#inspect http

ftp监控

1.允许返回的第二个session.

2.保障ftp的安全性.深度的包检测.

fpt模式

主模式:服务器主动发起连接请求.

被动模式:客户端向服务器发起连接请求.

ftp命令的过滤

fw1(config)#regex test smoke

fw1(config)#class-map type inspect ftp new_ftp

fw1(config-cmap)#match request-command dele

fw1(config-cmap)#match username regex test

fw1(config)#policy-map type inspect ftp new_ftp

fw1(config-pmap)#class new_ftp

fw1(config-pmap-c)#reset

fw1(config)#policy-map global_policy

fw1(config-pmap)#class inspection_default

fw1(config-pmap-c)#inspect ftp strict new_ftp

http监控

标准rfc命令和扩展命令

rfc methods:

connect

delete

get

head

options

post

put

trace

http extention methods:

copy revladd

edit revlabel

getattribute revlog

getattributenames revnum

getproperties save

index setattribute

lock startrey

move stoprev

mkdir unedit

default unlock

pix1(config)#regex http cisco.com

pix1(config)#class-map type inspect http newhttp

pix1(config-cmap)#match request uri regex http

pix1(config)#policy-map type inspect http newhttp

pix1(config-pmap)#class newhttp

pix1(config-pmap)#reset

remote shell远程执行命令

sql*net

esmtp inspection(微软的邮件服务器)

dns record translation记录转换

fw1(config)#nat (inside) 1 10.0.0.0 255.255.255.0 dns

fw1(config)#global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0

fw1(config)#static (inside,outside) 192.168.0.17 10.0.0.10 dns

fw1(config)#access-list all permit tcp any host 192.168.0.17 eq www

fw1(config)#access-group all in interface outside

icmp inspection

snmp inspection

fw1(config)#snmp-map snmp_deny_v1

fw1(config-snmp-map)#deny version 1

fw1(config)#policy-map global_policy

fw1(config-pmap#class snmp-port

fw1(config-pmap-c)#inspect snmp snmp_deny_v1

fw1(config)#service-policy global_policy global

multimaedia多媒体协议支持

rtsp 使用一个tcp和二个udp通道

传输类型

rtp

rdp

同步和再发通道

rtcp

udp resend

h.323 inspection(语音协议)

sip inspection(语音协议)

开启sip

默认端口5060

安全应用语音网关和代理

sip

rtp,rtcp

sccp inspeciton

ctiqbe insopection

mgcp inspection