Cisco ASA 5506-X Configuration Manual page 138
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Configure Application Layer Protocol Inspection
applications. For some applications, you can perform special actions when you enable inspection. See
Chapter 1, "Service Policy Using the Modular Policy Framework,"
policies in general.
Inspection is enabled by default for some applications. See
page 6-6
Procedure
Unless you are adding inspection to an existing class map, identify the traffic to which you want to apply
Step 1
inspections in a Layer 3/4 class map either for through traffic or for management traffic.
See
Create a Layer 3/4 Class Map for Through Traffic, page 1-13
Management Traffic, page 1-15
used only with the RADIUS accounting inspection.
There are important implications for the class map that you choose. You can have more than one
inspection on the inspection_default class only, and you might want to simply edit the existing global
policy that applies the inspection defaults. For detailed information on which class map to choose, see
Choosing the Right Traffic Class for Inspection, page
(Optional) Some inspection engines let you control additional parameters when you apply the inspection
Step 2
to the traffic. The table later in this procedure shows which protocols allow inspection policy maps, with
pointers to the instructions on configuring them.
Add or edit a Layer 3/4 policy map that sets the actions to take with the class map traffic.
Step 3
hostname(config)# policy-map name
hostname(config-pmap)#
The default policy map is called "global_policy." This policy map includes the default inspections listed
in
Default Inspections and NAT Limitations, page
example, to add or delete an inspection, or to identify an additional class map for your actions), then
enter global_policy as the name.
Identify the class map to which you want to assign an action.
Step 4
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
If you are editing the default policy map, it includes the inspection_default class map. You can edit the
actions for this class by entering inspection_default as the name. To add an additional class map to this
policy map, identify a different name.
You can combine multiple class maps in the same policy if desired, so you can create one class map to
match certain traffic, and another to match different traffic. However, if traffic matches a class map that
contains an inspection command, and then matches another class map that also has an inspection
command, only the first matching class is used. For example, SNMP matches the inspection_default
class map.To enable SNMP inspection, enable SNMP inspection for the default class. Do not add another
class that matches SNMP.
Enable application inspection.
Step 5
hostname(config-pmap-c)# inspect protocol
The protocol is one of the following values:
Cisco ASA Series Firewall CLI Configuration Guide
6-10
section for more information. Use this section to modify your inspection policy.
for detailed information. The management Layer 3/4 class map can be
Chapter 6
Getting Started with Application Layer Protocol Inspection
for information about service
Default Inspections and NAT Limitations,
and
Create a Layer 3/4 Class Map for
6-14.
6-6. If you want to modify the default policy (for
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
