Cisco ASA 5505 Configuration Manual page 603
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 29
Configuring a Service Policy
When you use a global policy, all features are unidirectional; features that are normally bidirectional
Note
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See
Table 29-2
Table 29-2
Feature
Application inspection (multiple types)
CSC
IPS
NetFlow Secure Event Logging filtering
QoS input policing
QoS output policing
QoS standard priority queue
QoS traffic shaping, hierarchical priority
queue
TCP and UDP connection limits and timeouts,
and TCP sequence number randomization
TCP normalization
TCP state bypass
Feature Matching Within a Service Policy
See the following information for how a packet matches rules in a policy for a given interface:
1.
2.
3.
For example, if a packet matches a rulefor connection limits, and also matches a rule for application
inspection, then both actions are applied.
If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP
inspection, then the second rule actions are not applied.
Application inspection includes multiple inspection types, and each inspection type is a separate feature
Note
when you consider the matching guidelines above.
OL-20339-01
for the directionality of each feature.
Feature Directionality
A packet can match only one rule for an interface for each feature type.
When the packet matches a rule for a feature type, the adaptive security appliance does not attempt
to match it to any subsequent rules for that feature type.
If the packet matches a subsequent rule for a different feature type, however, then the adaptive
security appliance also applies the actions for the subsequent rule, if supported. See the
"Incompatibility of Certain Feature Actions" section on page 29-5
unsupported combinations.
Single Interface Direction Global Direction
Bidirectional
Bidirectional
Bidirectional
N/A
Ingress
Egress
Egress
Egress
Bidirectional
Bidirectional
Bidirectional
for more information about
Cisco ASA 5500 Series Configuration Guide using ASDM
Information About Service Policies
Ingress
Ingress
Ingress
Ingress
Ingress
Egress
Egress
Egress
Ingress
Ingress
Ingress
29-3
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
