Configure Service Policies - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 11
Service Policy Using the Modular Policy Framework
When used in a policy, this class ensures that the correct inspection is applied to each packet, based on
the destination port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the
ASA applies the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP
inspection. So in this case only, you can configure multiple inspections for the same class map.
Normally, the ASA does not use the port number to determine which inspection to apply, thus giving you
the flexibility to apply inspections to non-standard ports, for example.
class-map inspection_default
match default-inspection-traffic
Another class map that exists in the default configuration is called class-default, and it matches all
traffic. This class map appears at the end of all Layer 3/4 policy maps and essentially tells the ASA to
not perform any actions on all other traffic. You can use the class-default class if desired, rather than
making your own match any class map. In fact, some features are only available for class-default.
class-map class-default
match any
Configure Service Policies
To configure service policies using the Modular Policy Framework, perform the following steps:
Step 1
Identify the traffic on which you want to act by creating Layer 3/4 class maps, as described in
Traffic (Layer 3/4 Class Maps), page
For example, you might want to perform actions on all traffic that passes through the ASA; or you might
only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.
Layer 3/4 Class Map
Optionally, perform additional actions on some inspection traffic.
Step 2
If one of the actions you want to perform is application inspection, and you want to perform additional
actions on some inspection traffic, then create an inspection policy map. The inspection policy map
identifies the traffic and specifies what to do with it.
For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes.
Inspection Class Map/
Match Commands
11-13.
Layer 3/4 Class Map
Inspection Policy Map Actions
Cisco ASA Series Firewall CLI Configuration Guide
Configure Service Policies
Identify
11-11
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
