ASA Management Traffic Inspection

Not sure if i am doing something wrong but I can't seem to configure RADIUS accounting inspection. It doesn't show up in the context senstive help nor is the command accepted.

 

ASA2(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe          
  dcerpc          
  dns             
  esmtp           
  ftp             
  h323            
  http            
  icmp            
  ils             
  im              
  ip-options      
  ipsec-pass-thru 
  ipv6            
  mgcp            
  mmp             
  netbios         
  pptp            
  rsh             
  rtsp            
  sip             
  skinny          
  snmp            
  sqlnet          
  sunrpc          
  tftp            
  waas            
  xdmcp

ASA2(config-pmap-c)# inspect radius-accounting RADIUS_PM
                              ^
ERROR: % Invalid input detected at '^' marker.

-----CURRENT CONFIG-----

ASA2(config-pmap-c)# show run class
!
class-map RADIUS_CM
 match port udp eq radius-acct
class-map BGP
 match port tcp eq bgp
class-map inspection_default
 match default-inspection-traffic
!
ASA2(config-pmap-c)# show run policy
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class BGP
  set connection random-sequence-number disable
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
 class RADIUS_CM
policy-map type inspect radius-accounting RADIUS_PM
 parameters
  send response
  validate-attribute 26
  host 172.16.10.100 key *****

 

The configuration in the lab sites the following config

 

policy-map global_policy

Am I missing something or is this not possible?

I did find some documentation that seems show a policy-map type management. However that also doesn't seem to work in 8.2, 8.4 or 8.6.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/inspect_mgmt.html#wp1504796

 

 

Comments

  • Hi,

        You need to use a "type management class-map" to have the inspect option available. Thus, replace "class-map RADIUS_CM

     match port udp eq radius-acct" with "class-map type management RADIUS_CM match port udp eq radius-acct".

     

    Regards,

    Cristian.

Sign In or Register to comment.