You want to use ASDM to create an inspection rule that will drop and log SHOUTcast media streams.
Which of the following inspection rules should you configure to achieve your goal? (Select the best answer.)
- H.323 H.225
- H.323 RAS
You should configure a Hypertext Transfer Protocol (HTTP) inspection rule to drop and log SHOUTcast media streams on a Cisco Adaptive Security Appliance (ASA). When HTTP inspection is enabled in a service policy, such as the global service policy, you can opt to use the default inspection rules or you can customize the inspection rules by applying an HTTP inspect map. You can select a custom HTTP inspect map from the Select HTTP Inspect Map dialog box, as shown below:
You can modify the configuration of an HTTP inspect map from the Configuration > Firewall > Objects > Inspect Maps > HTTP pane of Cisco Adaptive Security Device Manager (ASDM). This pane enables you to add, delete, and modify HTTP inspect maps. To modify an existing map, you should first click the Customize button, which opens the Edit HTTP Inspect Map dialog box, as shown in the following exhibit:
You can reset the inspection map to its default security level by clicking the Default Level button, or you can slide the Security Level slider to select a predefined setting. Alternatively, you can click the Details button to expand the Edit HTTP Inspect Map dialog box into a larger window with more options, as shown below:
You can use the Parameters tab of the expanded Edit HTTP Inspect Map dialog box to enable protocol violation checks and to select the actions that the ASA should take if protocol violations are found. You can also use the tab to configure server string spoofing and the maximum body length for HTTP request and response searches. The Inspections tab of the expanded Edit HTTP Inspect Map dialog box displays the details of the inspection map, as shown in the exhibit below:
The Inspections tab displays the inspection rules that apply to the current inspect map. The Match Type column indicates whether traffic must match or not match the criterion specified in the remaining columns. The Criterion column specifies what type of inspection is being performed. If the traffic is being inspected for a value, that value is indicated in the Value column. The Action column indicates what action will be applied to sessions that meet the rules requirements, and the Log column indicates whether the action triggers a system log (syslog) message. If you wanted to add an inspection rule that dropped and logged SHOUTcast media streams, you could click the Add button to open the Add HTTP Inspect dialog box and then select the _default_shoutcasttunnelingprotocol item from the HTTP Traffic Class dropdown list box, as shown in the following exhibit:
The items listed in the dropdown list are class maps that have been defined on the ASA. Names that begin with _default are predefined in the system default configuration and can be referenced directly from ASDM or by the class command in a policy map. The _default_shoutcasttunnelingprotocol class map is a predefined class map that can identify SHOUTcast media streams by their HTTP metadata, as shown in the following exhibit:
You cannot configure H.323 H.225; H.323 Registration, Admission, and Status (RAS); Instant Messaging (IM); or RealTime Streaming Protocol (RTSP) inspection rules to drop and log SHOUTcast media streams on an ASA. SHOUTcast media streams use HTTP, not H.323 or H.225. H.323 H.225 and H.323 RAS inspection rules provide support for International Telecommunication Union (ITU) H.323compliant applications such as Cisco CallManager. IM inspection rules provide the ASA with the ability to enforce security policies for a variety of mainstream IM applications. RTSP inspection rules enable an ASA to process media streams that are commonly produced by RealAudio, Apple QuickTime, and Cisco IP television (IPTV) connections.