有一些协议的协商需要动态的打开一个连接,动态的改变源目地址端口.这时防火墙需要对这些包进行监控,从而打开这些端口号,允许这些流量穿越防火墙,防火墙处理nat/pat做地址转换,对包重新封装.阻止一些非法的流量.
fw1(config)#class-map inspection default
default protocol监控策略
class map
class-map inspection_default
match default-inspection-traffic
policy map
policy-map global_policy
class inspection_default
inspect dns maximum length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect sunroc
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect xdmcp
service policy
service-policy global_policy global
添加删除
fw1(config)#policy-map global_policy
fw1(config-pmap)#class inspection default
fw1(config-pmap-c)#no inspect ctiqbe
添加新端口号http
fw1(config)#class-map 8080_inspect_traffic
fw1(config-ftp-map)#match port tcp eq 8080
fw1(config-ftp-map)#exit
fw1(config)#policy-map global_policy
fw1(config-pmap)#class 8080_inspect_traffic
fw1(config-pmap-c)#inspect http
ftp监控
1.允许返回的第二个session.
2.保障ftp的安全性.深度的包检测.
fpt模式
主模式:服务器主动发起连接请求.
被动模式:客户端向服务器发起连接请求.
ftp命令的过滤
fw1(config)#regex test smoke
fw1(config)#class-map type inspect ftp new_ftp
fw1(config-cmap)#match request-command dele
fw1(config-cmap)#match username regex test
fw1(config)#policy-map type inspect ftp new_ftp
fw1(config-pmap)#class new_ftp
fw1(config-pmap-c)#reset
fw1(config)#policy-map global_policy
fw1(config-pmap)#class inspection_default
fw1(config-pmap-c)#inspect ftp strict new_ftp
http监控
标准rfc命令和扩展命令
rfc methods:
connect
delete
get
head
options
post
put
trace
http extention methods:
copy revladd
edit revlabel
getattribute revlog
getattributenames revnum
getproperties save
index setattribute
lock startrey
move stoprev
mkdir unedit
default unlock
pix1(config)#regex http cisco.com
pix1(config)#class-map type inspect http newhttp
pix1(config-cmap)#match request uri regex http
pix1(config)#policy-map type inspect http newhttp
pix1(config-pmap)#class newhttp
pix1(config-pmap)#reset
remote shell远程执行命令
sql*net
esmtp inspection(微软的邮件服务器)
dns record translation记录转换
fw1(config)#nat (inside) 1 10.0.0.0 255.255.255.0 dns
fw1(config)#global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
fw1(config)#static (inside,outside) 192.168.0.17 10.0.0.10 dns
fw1(config)#access-list all permit tcp any host 192.168.0.17 eq www
fw1(config)#access-group all in interface outside
icmp inspection
snmp inspection
fw1(config)#snmp-map snmp_deny_v1
fw1(config-snmp-map)#deny version 1
fw1(config)#policy-map global_policy
fw1(config-pmap#class snmp-port
fw1(config-pmap-c)#inspect snmp snmp_deny_v1
fw1(config)#service-policy global_policy global
multimaedia多媒体协议支持
rtsp 使用一个tcp和二个udp通道
传输类型
rtp
rdp
同步和再发通道
rtcp
udp resend
h.323 inspection(语音协议)
sip inspection(语音协议)
开启sip
默认端口5060
安全应用语音网关和代理
sip
rtp,rtcp
sccp inspeciton
ctiqbe insopection
mgcp inspection
标签:map,ftp,inspect,fw1,PIX,7.0,policy,config,Day From: https://www.cnblogs.com/smoke520/p/18366020