Inspection Policy Map Overview; Defining Actions In An Inspection Policy Map - Cisco 7604 Configuration Manual

Chapter 20 Using Modular Policy Framework
•
•
•
•

Inspection Policy Map Overview

See the
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•
•
•
There are default inspection policy maps such as policy-map type inspect esmtp _default_esmtp_map.
Note
These default policy maps are created implicitly by the command inspect protocol. For example, inspect
esmtp implicitly uses the policy map "_default_esmtp_map." All the default policy maps can be shown
by using the show running-config all policy-map command.

Defining Actions in an Inspection Policy Map

When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.
To create an inspection policy map, perform the following steps:
(Optional) Create an inspection class map according to the
Step 1
Map" section on page
Step 2 To create the inspection policy map, enter the following command:
hostname(config)# policy-map type inspect application policy_map_name
hostname(config-pmap)#
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Defining Actions in an Inspection Policy Map, page 20-7
Identifying Traffic in an Inspection Class Map, page 20-10
Creating a Regular Expression, page 20-11
Creating a Regular Expression Class Map, page 20-14
"Inspection Engine Overview" section on page 22-2
Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
– Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
Inspection class map—(Not available for all applications. See the CLI help for a list of supported
applications.) An inspection class map includes traffic matching commands that match application
traffic with criteria specific to the application, such as a URL string. You then identify the class map
in the policy map and enable actions. The difference between creating a class map and defining the
traffic match directly in the inspection policy map is that you can create more complex match criteria
and you can reuse class maps.
Some traffic matching commands can specify regular expressions to match text inside a packet.
–
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
Parameters—Parameters affect the behavior of the inspection engine.
20-10. Alternatively, you can identify the traffic directly within the policy map.
Configuring Special Actions for Application Inspections (Inspection Policy Map)
for a list of applications that support
"Identifying Traffic in an Inspection Class
20-7