Cisco ASA Series Configuration Manual page 241

Chapter 11 Service Policy Using the Modular Policy Framework
Most inspections should not be combined with another inspection, so the ASA only applies one
•
inspection if you configure multiple inspections for the same traffic. HTTP inspection can be
combined with the Cloud Web Security inspection. Other exceptions are listed in
Multiple Feature Actions are Applied, page
You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.
•
HTTP inspection is not compatible with ASA CX or ASA FirePOWER.
•
Cloud Web Security is not compatible with ASA CX or ASA FirePOWER.
•
Note The match default-inspection-traffic command, which is used in the default global policy, is a special
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
This traffic class does not include the default ports for Cloud Web Security inspection (80 and 443).
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In
mistakenly configured for both FTP and HTTP inspection. In
is mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration
examples, only the FTP inspection is applied, because FTP comes before HTTP in the order of
inspections applied.
Example 11-1 Misconfiguration for FTP packets: HTTP Inspection Also Configured
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
policy-map test
class ftp
class http
Example 11-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured
class-map ftp
match port tcp eq 80
class-map http
match port tcp eq 80
policy-map test
class ftp
class http
[it should be 80]
inspect ftp
inspect http
[it should be 21]
inspect ftp
inspect http
11-6.
Example 11-1, traffic destined to port 21 is
Example 11-2, traffic destined to port 80
Cisco ASA Series Firewall CLI Configuration Guide
About Service Policies
Order in Which
11-7