Share this
A Crash Course in Cisco ASA Modular Policy Framework
by PivIT Global on Apr 25, 2023 7:06:00 AM
Besides operating as a stateful packet filtering firewall where all sessions are stored in a state table, Cisco ASA appliance can also function as an application firewall. This allows for performing deep packet application inspections based on which network engineers can assign appropriate network policies.
In almost all networks, different types of traffic passing through the Cisco ASA may have different policy requirements.
Typically, VoIP traffic should always get prioritized over the rest to prevent packet losses and delays, while you should check traffic coming from the internet for any sign of malware or other types of malicious content.
Though there are several approaches to applying access controls on network flows, most lack options to fully satisfy the requirements for assigning different network policies to different traffic flows. The only suitable solution is the Modular Policy Framework (MPF) configuration tool, which allows you to deploy desired security policies to specific traffic flows.
In this article, we will provide the following:
- An overview of Cisco MPF.
- An exploration of class maps, policy maps, and service policy.
- A familiarization with the benefits it offers.
- A configuration example of MPF service policy rules on a Cisco ASA.
Not what you were looking for today? View some of our popular articles:
- A Complete Guide to Access Control Lists: Types and Creation Methods
- The Importance of Layer 3 Redundancy: Understanding HSRP – Pt. 1
- A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks
An Overview of Cisco MPF
Access control lists (ACLs) are fundamental access control filtering tools on the Cisco ASA appliance (and other network devices) and are used for many different purposes.
However, as simple-to-configure and beneficial as they are, ACLs are limited configuration-wise and do not support advanced filtering options.
The MPF method, as an advanced configuration tool, does not replace the ACLs used on the Cisco ASA. Instead, it enhances them, which allows you to deploy advanced access control on the network traffic flows going through the firewall independently of the applied ACLs.
Cisco MPF is a very straightforward and easy-to-use method, and its main functionality is simple. It defines traffic flows by describing the network properties on which appropriate actions are applied afterward. To activate the network policies that contain the actions, they must be applied on a specific interface or globally on all ASA interfaces.
Class Map, Policy Map, Service Policy
Before configuring MPF, you must first define the requirements for which different network policies will be applied to specific traffic flows in a flexible and granular fashion.
When that part is finished, you must classify traffic using class maps. Then, you need to define actions in a policy map that will be applied to the traffic matched by the class maps. Finally, to activate the access controls, you need to apply the policy map by using a service policy.
The main three components that Cisco MPF consists of are:
- Class map: A class map is a feature responsible for identifying specific traffic flows into a traffic class based on certain requirements. A traffic flow typically represents a Layer 4 session between two devices used by a particular application, such as HTTP traffic, voice calls, management traffic, etc.
Inside the class map, you can use single or multiple matching criteria to group certain traffic into a traffic class. Two different types of class maps can be created: a Layer 3/4 class map or Layer 5-7 class map.
Layer 3/4 class map classifies traffic based on Layer 3 and Layer 4 information that is found in a packet, while Layer 5-7 class map classifies traffic based on application-layer content of the packet.
- Policy map: Inside the policy map, you define the actions that should be applied to the traffic matched by the class maps. For example, you might want to limit the HTTP traffic to certain bandwidth usage while prioritizing the voice traffic associated with low latency queuing.
To achieve that, you need to create a policy map, reference the desired class maps inside the policy map, and then define the actions for each specific class of traffic.
Just like with the class maps, you can create Layer 3/4 policy maps which define actions that are applied to traffic classes for these layers, and Layer 5-7 policy maps, which define actions that are applied to traffic classes for these specific layers. - Service policy: There is no such thing as configuring a service policy. The service policy is just a command that activates the policy maps and can be applied either on a specific interface or globally on all Cisco ASA interfaces.
_________________
Are lead times slowing you down and preventing you from getting the firewall hardware or services you require to protect your data center? Send us a request or connect with our Team in real-time using our chat feature. Know what you want but need help configuring your setup?
_________________
Knowing About the Defaults of MPF
Besides using the explicitly configured class maps and policy maps, Cisco ASA also includes a default global policy and a default traffic class.
The default global policy matches all default application inspection traffic or, in other words, all traffic to the default ports for each protocol, and is applied on all Cisco ASA interfaces. Since there is only one global policy, you can either modify the default one based on your requirements or disable it and apply a new one globally on the ASA.
The default traffic class is called Default Inspection Traffic and matches the default inspection traffic. By default, this class map is used in the default global policy and matches the default ports for all inspections.
As a result, Cisco ASA applies the appropriate traffic inspection on the traffic sent to a specific destination port. For example, the ASA applies HTTP inspection on the TCP traffic with a destination port of 80.
How to Configure Cisco MPF
To deploy MPF on the Cisco ASA, you need to configure class maps to identify and classify traffic. Then, you need to configure actions in the policy map that will apply to the matched traffic, and finally, you need to apply the policy map by using the service policy.
There is a variety of matching criteria that you can use to identify traffic based on Layer 3 and Layer 4 information in a class map. Such criteria are, among many others:
- ACL.
- TCP and UDP ports.
- IP DSCP.
- RTP ports.
- Tunnel group.
- Default inspection traffic.
In the policy map, you need to specify the actions that will apply to the traffic that is classified in each of the class maps. On the Cisco ASA, you can have one global policy map and one policy map per interface.
Some of the actions that you can configure are:
- Perform protocol inspection.
- Send traffic to the Cisco ASA Firepower services module for additional inspection.
- Send NetFlow information based on the traffic.
- Prioritize, shape, or police traffic.
- Define connection parameters such as TCP sequence randomization, connection timeouts per traffic class, global timeouts for different protocols, and many more.
The last step is to apply the policy maps with the service policy feature. When a policy is applied to a specific interface, the classification of traffic and actions apply in both inbound and outbound directions. In contrast, when a policy is applied globally, it operates only in inbound directions for all ASA interfaces.
You need to edit the global policy to apply inspection to nonstandard ports or add inspections that are not enabled by default. Because ICMP stateful inspection is disabled by default, all ICMP traffic sent from inside the network to the outside will be allowed, while the return traffic will be denied.
As you can see in the image above, the pings from the PC inside the network will not get replied back from the server on the internet because the stateful inspection for ICMP is disabled by default.
To fix that, you must change the rule actions in the default global policy and allow ICMP inspection. The following steps achieve that.
Step 1: Edit the default global policy on the Cisco ASA appliance
Step 2: Enable ICMP protocol inspection in the rule actions
Once it is enabled, the return ICMP traffic (echo reply packets) will be allowed by the Cisco ASA appliance because of the ICMP session data created in the state table.
_________________
Protect your firewall hardware with PivIT's OneCall service. Get coverage tailored to your networks and have complete peace of mind knowing when something happens, it will be handled right away.
_________________
Understanding the Importance of MPF
The MPF configuration tool plays a crucial role in the ASA appliance.
It simplifies the overall configuration and allows dynamic protocol inspections. In addition, it will enable you to apply different actions on specific traffic flows and tune the overall network behavior based on the enterprise requirements.
Now that you understand the details of MPF, its benefits, and how it is configured, you’ll be better equipped to utilize it in your network.
Share this
- Configuration Guides (46)
- Cisco Routers (28)
- Switches (26)
- Network Security (22)
- Routing Protocols (21)
- Cisco Switches (19)
- Product Comparisons (19)
- Routers (19)
- Cisco (18)
- Cisco Technical Information (17)
- Firewall (17)
- Network Protocols (17)
- Wireless (17)
- Cisco Security (16)
- Security (15)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Servers (11)
- Cisco UCS (9)
- Cisco Catalyst (8)
- Access Control Lists (7)
- Cisco Servers (7)
- Fortinet (7)
- Access Points (6)
- IT Hardware Solutions (6)
- OSPF (6)
- Product Highlight (6)
- Server Comparisons (6)
- Wireless APs (6)
- Arista Networks (5)
- Cisco ASR (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- OneCall (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- HSRP (4)
- Network Management (4)
- SD-WAN (4)
- Switch Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- Cloud Solutions (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Firewall Architecture (3)
- Internet (3)
- Juniper Networks (3)
- Network Accessories (3)
- Network Automation (3)
- OEM Comparison (3)
- Telephony (3)
- Upgrading Network (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- LAN Networks (2)
- Maintenance Renewal (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- Storage (2)
- WLAN (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Network Servers (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- Ways to Save (1)
- hyperconverge (1)
- June 2023 (2)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think