Creating A Layer 3/4 Class Map For Management Traffic - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 21
Using Modular Policy Framework
Creating a Layer 3/4 Class Map for Management Traffic
For management traffic to the security appliance, you might want to perform actions specific to this kind
of traffic. You can specify a management class map that can match TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
Namely, this type of class map lets you inspect RADIUS accounting traffic.
To create a class map for management traffic to the security appliance, perform the following steps:
Create a class map by entering the following command:
Step 1
hostname(config)# class-map type management class_map_name
hostname(config-cmap)#
Where class_map_name is a string up to 40 characters in length. The name "class-default" is reserved.
All types of class maps use the same name space, so you cannot reuse a name already used by another
type of class map. The CLI enters class-map configuration mode.
(Optional) Add a description to the class map by entering the following command:
Step 2
hostname(config-cmap)# description string
Define the traffic to include in the class by matching the TCP or UDP port. You can include only one
Step 3
match command in the class map.
hostname(config-cmap)# match port {tcp | udp} {eq port_num | range port_num port_num}
For a list of ports you can specify, see the
For example, enter the following command to match TCP packets on port 10000:
hostname(config-cmap)# match tcp eq 10000
Configuring Special Actions for Application Inspections
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map.
See the
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•
•
•
OL-10088-01
"Configuring Application Inspection" section on page 25-5
Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
Inspection class map—An inspection class map includes traffic matching commands that match
application traffic with criteria specific to the application, such as a URL string. You then identify
the class map in the policy map and enable actions. The difference between creating a class map and
defining the traffic match directly in the inspection policy map is that you can create more complex
match criteria and you can reuse class maps. Some applications do not support an inspection class
map.
Parameters—Parameters affect the behavior of the inspection engine.
Configuring Special Actions for Application Inspections
"TCP and UDP Ports" section on page
for a list of applications that support
Cisco Security Appliance Command Line Configuration Guide
D-11.
21-5
Advertisement
Table of Contents
Troubleshooting
