Creating A Layer 3/4 Class Map For Through Traffic - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 21
Using Modular Policy Framework
Creating a Layer 3/4 Class Map for Through Traffic
A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4
attributes.
To define a Layer 3/4 class map, perform the following steps:
Step 1
Create a Layer 3/4 class map by entering the following command:
hostname(config)# class-map class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name "class-default" is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
(Optional) Add a description to the class map by entering the following command:
Step 2
hostname(config-cmap)# description string
Define the traffic to include in the class by matching one of the following characteristics. Unless
Step 3
otherwise specified, you can include only one match command in the class map.
•
•
•
Tip
•
OL-12172-03
Any traffic—The class map matches all traffic.
hostname(config-cmap)# match any
Access list—The class map matches traffic specified by an extended access list. If the security
appliance is operating in transparent firewall mode, you can use an EtherType access list.
hostname(config-cmap)# match access-list access_list_name
For more information about creating access lists, see the
on page 16-5
or the
"Adding an EtherType Access List" section on page
For information about creating access lists with NAT, see the
When You Use NAT" section on page
TCP or UDP destination ports—The class map matches a single port or a contiguous range of ports.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num }
For applications that use multiple, non-contiguous ports, use the match access-list command
and define an ACE to match each port.
For a list of ports you can specify, see the
For example, enter the following command to match TCP packets on port 80 (HTTP):
hostname(config-cmap)# match tcp eq 80
Default traffic for inspection—The class map matches the default TCP and UDP ports used by all
applications that the security appliance can inspect.
hostname(config-cmap)# match default-inspection-traffic
See the
"Default Inspection Policy" section on page 25-3
appliance includes a default global policy that matches the default inspection traffic, and applies
common inspections to the traffic on all interfaces. Not all applications whose ports are included in
the match default-inspection-traffic command are enabled by default in the policy map.
Identifying Traffic Using a Layer 3/4 Class Map
"Adding an Extended Access List" section
"IP Addresses Used for Access Lists
16-3.
"TCP and UDP Ports" section on page
for a list of default ports. The security
Cisco Security Appliance Command Line Configuration Guide
16-8.
D-11.
21-3
Advertisement
Table of Contents
Troubleshooting
