Modular Policy Framework Examples
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
In this example (see
that enters the FWSM through the outside interface is classified for HTTP inspection and maximum
connection limits.
Any HTTP connection destined for Server B that enters the FWSM through the inside interface is
classified for HTTP inspection.
Figure 20-2
Server A
192.168.1.1
Host B
192.168.1.1
See the following commands for this example:
hostname(config)# access-list serverA extended permit tcp any host 192.168.1.1 eq 80
hostname(config)# access-list ServerB extended permit tcp any host 10.1.1.2 eq 80
hostname(config)# class-map http_serverA
hostname(config-cmap)# match access-list serverA
hostname(config)# class-map http_serverB
hostname(config-cmap)# match access-list serverB
hostname(config)# policy-map policy_serverA
hostname(config-pmap)# class http_serverA
hostname(config-pmap-c)# inspect http http_map_serverA
hostname(config-pmap-c)# set connection conn-max 100
hostname(config)# policy-map policy_serverB
hostname(config-pmap)# class http_serverB
hostname(config-pmap-c)# inspect http http_map_serverB
hostname(config)# service-policy policy_serverB interface inside
hostname(config)# service-policy policy_serverA interface outside
Applying Inspection to HTTP Traffic with NAT
In this example, the Host on the inside network has two addresses: one is the real IP address 10.1.1.1,
and the other is a mapped IP address used on the outside network, 209.165.200.225 (see
Because the policy is applied to the inside interface, where the real address is used, then you must use
the real IP address in the access list in the class map. If you applied it to the outside interface, you would
use the mapped addresses.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
20-22
Figure
20-2), any HTTP connection destined for Server A (TCP traffic on port 80)
HTTP Inspection and Connection Limits to Specific Servers
FWSM
port 80
insp.
inside
Chapter 20
insp.
port 80
set conns
Host A
10.1.1.1
outside
Server B
10.1.1.2
Using Modular Policy Framework
Figure
20-3).
OL-20748-01