A Crash Course in Cisco ASA Modular Policy Framework

Besides operating as a stateful packet filtering firewall where all sessions are stored in a state table, Cisco ASA appliance can also function as an application firewall. This allows for performing deep packet application inspections based on which network engineers can assign appropriate network policies. 

In almost all networks, different types of traffic passing through the Cisco ASA may have different policy requirements. 

Typically, VoIP traffic should always get prioritized over the rest to prevent packet losses and delays, while you should check traffic coming from the internet for any sign of malware or other types of malicious content. 

Though there are several approaches to applying access controls on network flows, most lack options to fully satisfy the requirements for assigning different network policies to different traffic flows. The only suitable solution is the Modular Policy Framework (MPF) configuration tool, which allows you to deploy desired security policies to specific traffic flows. 

In this article, we will provide the following:

• An overview of Cisco MPF.
• An exploration of class maps, policy maps, and service policy.
• A familiarization with the benefits it offers.
• A configuration example of MPF service policy rules on a Cisco ASA.

Not what you were looking for today? View some of our popular articles:

• A Complete Guide to Access Control Lists: Types and Creation Methods
• The Importance of Layer 3 Redundancy: Understanding HSRP – Pt. 1
• A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks

An Overview of Cisco MPF

Access control lists (ACLs) are fundamental access control filtering tools on the Cisco ASA appliance (and other network devices) and are used for many different purposes. 

However, as simple-to-configure and beneficial as they are, ACLs are limited configuration-wise and do not support advanced filtering options. 

The MPF method, as an advanced configuration tool, does not replace the ACLs used on the Cisco ASA. Instead, it enhances them, which allows you to deploy advanced access control on the network traffic flows going through the firewall independently of the applied ACLs. 

Cisco MPF is a very straightforward and easy-to-use method, and its main functionality is simple. It defines traffic flows by describing the network properties on which appropriate actions are applied afterward. To activate the network policies that contain the actions, they must be applied on a specific interface or globally on all ASA interfaces. 

Class Map, Policy Map, Service Policy 

Before configuring MPF, you must first define the requirements for which different network policies will be applied to specific traffic flows in a flexible and granular fashion. 

When that part is finished, you must classify traffic using class maps. Then, you need to define actions in a policy map that will be applied to the traffic matched by the class maps. Finally, to activate the access controls, you need to apply the policy map by using a service policy.

The main three components that Cisco MPF consists of are:

• Class map: A class map is a feature responsible for identifying specific traffic flows into a traffic class based on certain requirements. A traffic flow typically represents a Layer 4 session between two devices used by a particular application, such as HTTP traffic, voice calls, management traffic, etc. 
  
  Inside the class map, you can use single or multiple matching criteria to group certain traffic into a traffic class. Two different types of class maps can be created: a Layer 3/4 class map or Layer 5-7 class map. 
  
  Layer 3/4 class map classifies traffic based on Layer 3 and Layer 4 information that is found in a packet, while Layer 5-7 class map classifies traffic based on application-layer content of the packet.
   
• Policy map: Inside the policy map, you define the actions that should be applied to the traffic matched by the class maps. For example, you might want to limit the HTTP traffic to certain bandwidth usage while prioritizing the voice traffic associated with low latency queuing. 
  
  To achieve that, you need to create a policy map, reference the desired class maps inside the policy map, and then define the actions for each specific class of traffic. 
  
  Just like with the class maps, you can create Layer 3/4 policy maps which define actions that are applied to traffic classes for these layers, and Layer 5-7 policy maps, which define actions that are applied to traffic classes for these specific layers.
  
  
• Service policy: There is no such thing as configuring a service policy. The service policy is just a command that activates the policy maps and can be applied either on a specific interface or globally on all Cisco ASA interfaces.

_________________

Are lead times slowing you down and preventing you from getting the firewall hardware or services you require to protect your data center? Send us a request or connect with our Team in real-time using our chat feature. Know what you want but need help configuring your setup?

_________________ 

Knowing About the Defaults of MPF

Besides using the explicitly configured class maps and policy maps, Cisco ASA also includes a default global policy and a default traffic class. 

The default global policy matches all default application inspection traffic or, in other words, all traffic to the default ports for each protocol, and is applied on all Cisco ASA interfaces. Since there is only one global policy, you can either modify the default one based on your requirements or disable it and apply a new one globally on the ASA. 

The default traffic class is called Default Inspection Traffic and matches the default inspection traffic. By default, this class map is used in the default global policy and matches the default ports for all inspections. 

As a result, Cisco ASA applies the appropriate traffic inspection on the traffic sent to a specific destination port. For example, the ASA applies HTTP inspection on the TCP traffic with a destination port of 80.

How to Configure Cisco MPF

To deploy MPF on the Cisco ASA, you need to configure class maps to identify and classify traffic. Then, you need to configure actions in the policy map that will apply to the matched traffic, and finally, you need to apply the policy map by using the service policy.

There is a variety of matching criteria that you can use to identify traffic based on Layer 3 and Layer 4 information in a class map. Such criteria are, among many others:

• ACL.
• TCP and UDP ports.
• IP DSCP.
• RTP ports.
• Tunnel group.
• Default inspection traffic.

In the policy map, you need to specify the actions that will apply to the traffic that is classified in each of the class maps. On the Cisco ASA, you can have one global policy map and one policy map per interface. 

Some of the actions that you can configure are:

• Perform protocol inspection.
• Send traffic to the Cisco ASA Firepower services module for additional inspection.
• Send NetFlow information based on the traffic.
• Prioritize, shape, or police traffic.
• Define connection parameters such as TCP sequence randomization, connection timeouts per traffic class, global timeouts for different protocols, and many more.

The last step is to apply the policy maps with the service policy feature. When a policy is applied to a specific interface, the classification of traffic and actions apply in both inbound and outbound directions. In contrast, when a policy is applied globally, it operates only in inbound directions for all ASA interfaces. 

You need to edit the global policy to apply inspection to nonstandard ports or add inspections that are not enabled by default. Because ICMP stateful inspection is disabled by default, all ICMP traffic sent from inside the network to the outside will be allowed, while the return traffic will be denied.

As you can see in the image above, the pings from the PC inside the network will not get replied back from the server on the internet because the stateful inspection for ICMP is disabled by default. 

To fix that, you must change the rule actions in the default global policy and allow ICMP inspection. The following steps achieve that. 

Step 1: Edit the default global policy on the Cisco ASA appliance

Step 2: Enable ICMP protocol inspection in the rule actions

Once it is enabled, the return ICMP traffic (echo reply packets) will be allowed by the Cisco ASA appliance because of the ICMP session data created in the state table.

_________________

Protect your firewall hardware with PivIT's OneCall service. Get coverage tailored to your networks and have complete peace of mind knowing when something happens, it will be handled right away.

_________________

Understanding the Importance of MPF

The MPF configuration tool plays a crucial role in the ASA appliance. 

It simplifies the overall configuration and allows dynamic protocol inspections. In addition, it will enable you to apply different actions on specific traffic flows and tune the overall network behavior based on the enterprise requirements. 

Now that you understand the details of MPF, its benefits, and how it is configured, you’ll be better equipped to utilize it in your network.