Cisco ASA 5506-X Configuration Manual page 13

Chapter 1 Service Policy Using the Modular Policy Framework
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list might not
include all incompatibilities; for information about compatibility of each feature, see the chapter or
section for the feature:
•
•
•
•
•
The match default-inspection-traffic command, which is used in the default global policy, is a special
Note
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
This traffic class does not include the default ports for Cloud Web Security inspection (80 and 443).
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In
mistakenly configured for both FTP and HTTP inspection. In
mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration examples,
only the FTP inspection is applied, because FTP comes before HTTP in the order of inspections applied.
Example 1-1
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
policy-map test
class ftp
class http
Example 1-2
class-map ftp
match port tcp eq 80
class-map http
match port tcp eq 80
policy-map test
class ftp
You cannot configure QoS priority queuing and QoS policing for the same set of traffic.
Most inspections should not be combined with another inspection, so the ASA only applies one
inspection if you configure multiple inspections for the same traffic. HTTP inspection can be
combined with the Cloud Web Security inspection. Other exceptions are listed in
Multiple Feature Actions are Applied, page
You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.
HTTP inspection is not compatible with ASA CX or ASA FirePOWER.
Cloud Web Security is not compatible with ASA CX or ASA FirePOWER.
Misconfiguration for FTP packets: HTTP Inspection Also Configured
[it should be 80]
inspect ftp
inspect http
Misconfiguration for HTTP packets: FTP Inspection Also Configured
[it should be 21]
1-6.
Example 1-1, traffic destined to port 21 is
Example 1-2, traffic destined to port 80 is
Cisco ASA Series Firewall CLI Configuration Guide
About Service Policies
Order in Which
1-7