Cisco PIX 500 Series Configuration Manual page 405
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 21
Using Modular Policy Framework
Add the policy map by entering the following command:
Step 1
hostname(config)# policy-map policy_map_name
The policy_map_name argument is the name of the policy map up to 40 characters in length. All types
of policy maps use the same name space, so you cannot reuse a name already used by another type of
policy map. The CLI enters policy-map configuration mode.
(Optional) Specify a description for the policy map:
Step 2
hostname(config-pmap)# description text
Specify a previously configured Layer 3/4 class map using the following command:
Step 3
hostname(config-pmap)# class class_map_name
where the class_map_name is the name of the class map you created earlier. See the
Using a Layer 3/4 Class Map" section on page 21-2
Step 4
Specify one or more actions for this class map.
•
IPS. See the
CSC. See the
•
TCP normalization. See the
•
TCP and UDP connection limits and timeouts, and TCP sequence number randomization. See the
•
"Configuring Connection Limits and Timeouts" section on page
QoS policing and QoS priority. See
•
Application inspection. See
•
Note
Repeat
Step 5
The following is an example of a policy-map command for connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256
The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
OL-12172-03
"Diverting Traffic to the AIP SSM" section on page
"Diverting Traffic to the CSC SSM" section on page
"Configuring TCP Normalization" section on page
Chapter 25, "Configuring Application Layer Protocol Inspection."
If there is no match default_inspection_traffic command in a class map, then at most one
inspect command is allowed to be configured under the class.
Step 3
and
Step 4
for each class map you want to include in this policy map.
Defining Actions Using a Layer 3/4 Policy Map
to add a class map.
Chapter 24, "Applying QoS Policies."
Cisco Security Appliance Command Line Configuration Guide
"Identifying Traffic
22-8.
22-16.
23-11.
23-14.
21-17
Advertisement
Table of Contents
Troubleshooting
