Cisco PIX 500 Series Configuration Manual page 471

Chapter 25 Configuring Application Layer Protocol Inspection
hostname(config-pmap)#
The default policy map is called "global_policy." This policy map includes the default inspections listed
in the
example, to add or delete an inspection, or to identify an additional class map for your actions), then
enter global_policy as the name.
To identify the class map from
Step 4
command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
If you are editing the default policy map, it includes the inspection_default class map. You can edit the
actions for this class by entering inspection_default as the name. To add an additional class map to this
policy map, identify a different name. You can combine multiple class maps in the same policy if desired,
so you can create one class map to match certain traffic, and another to match different traffic. However,
if traffic matches a class map that contains an inspection command, and then matches another class map
that also has an inspection command, only the first matching class is used. For example, SNMP matches
the inspection_default class map.To enable SNMP inspection, enable SNMP inspection for the default
class in
Enable application inspection by entering the following command:
Step 5
hostname(config-pmap-c)# inspect protocol
The protocol is one of the following values:
Table 25-2
Keywords
ctiqbe
dcerpc [map_name]
dns [map_name]
esmtp [map_name]
OL-12172-03
"Default Inspection Policy" section on page
Step 1
Step 5. Do not add another class that matches SNMP.
Protocol Keywords
25-3. If you want to modify the default policy (for
to which you want to assign an action, enter the following
Notes
—
If you added a DCERPC inspection policy map according to
"Configuring a DCERPC Inspection Policy Map for
Additional Inspection Control" section on page
identify the map name in this command.
If you added a DNS inspection policy map according to
"Configuring a DNS Inspection Policy Map for Additional
Inspection Control" section on page
name in this command. The default DNS inspection policy
map name is "preset_dns_map." The default inspection
policy map sets the maximum DNS packet length to 512
bytes.
If you added an ESMTP inspection policy map according to
"Configuring an ESMTP Inspection Policy Map for
Additional Inspection Control" section on page
identify the map name in this command.
Cisco Security Appliance Command Line Configuration Guide
Configuring Application Inspection
25-12,
25-21, identify the map
25-24,
25-7