Cisco ASA Series Configuration Manual page 266

Configure Application Layer Protocol Inspection
Service Policy Using the Modular Policy Framework, page 11-1
in general.
Inspection is enabled by default for some applications. See
page 12-6
Procedure
Step 1 Unless you are adding inspection to an existing class map, identify the traffic to which you want to apply
inspections in a Layer 3/4 class map either for through traffic or for management traffic.
See Create a Layer 3/4 Class Map for Through Traffic, page 11-13
Management Traffic, page 11-15
used only with the RADIUS accounting inspection.
There are important implications for the class map that you choose. You can have more than one
inspection on the inspection_default class only, and you might want to simply edit the existing global
policy that applies the inspection defaults. For detailed information on which class map to choose, see
Choosing the Right Traffic Class for Inspection, page
Step 2 (Optional) Some inspection engines let you control additional parameters when you apply the inspection
to the traffic. The table later in this procedure shows which protocols allow inspection policy maps, with
pointers to the instructions on configuring them.
Add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic.
Step 3
hostname(config)# policy-map name
hostname(config-pmap)#
The default policy map is called "global_policy." This policy map includes the default inspections listed
in Default Inspections and NAT Limitations, page
example, to add or delete an inspection, or to identify an additional class map for your actions), then
enter global_policy as the name.
Identify the class map to which you want to assign an action.
Step 4
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
If you are editing the default policy map, it includes the inspection_default class map. You can edit the
actions for this class by entering inspection_default as the name. To add an additional class map to this
policy map, identify a different name.
You can combine multiple class maps in the same policy if desired, so you can create one class map to
match certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class map. To enable SNMP inspection, enable SNMP inspection for the default class. Do not add
another class that matches SNMP.
Enable application inspection.
Step 5
hostname(config-pmap-c)# inspect protocol
The protocol is one of the following values:
Cisco ASA Series Firewall CLI Configuration Guide
12-10
section for more information. Use this section to modify your inspection policy.
for detailed information. The management Layer 3/4 class map can be
Chapter 12 Getting Started with Application Layer Protocol Inspection
for information about service policies
Default Inspections and NAT Limitations,
and Create a Layer 3/4 Class Map for
12-14.
12-6. If you want to modify the default policy (for