Cisco ASA 5506-X Configuration Manual page 23
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 1
Service Policy Using the Modular Policy Framework
Specify a previously configured Layer 3/4 class map, where the class_map_name is the name of the class
Step 2
map.
class class_map_name
See
Identify Traffic (Layer 3/4 Class Maps), page 1-13
Note
class class_map_name
Example:
hostname(config-pmap)# description global policy map
Specify one or more actions for this class map.
Step 3
See
Features Configured with Service Policies, page
Repeat the process for each class map you want to include in this policy map.
Step 4
Examples
The following is an example of a policy-map command for a connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256
The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# set connection timeout idle 0:10:0
The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic
hostname(config-cmap)# match port tcp eq 23
hostname(config)# class-map ftp_traffic
hostname(config-cmap)# match port tcp eq 21
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match port tcp range 1 65535
hostname(config)# class-map udp_traffic
hostname(config-cmap)# match port udp range 0 65535
hostname(config)# policy-map global_policy
If there is no match default-inspection-traffic command in a class map, then at most one
inspect command is allowed to be configured under the class.
to add a class map.
1-4.
Cisco ASA Series Firewall CLI Configuration Guide
Configure Service Policies
1-17
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
