Create A Layer 3/4 Class Map For Management Traffic - Cisco ASA Series Configuration Manual

Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs Also See for ASA Series:
Table of Contents

Advertisement

Chapter 11
Service Policy Using the Modular Policy Framework
hostname(config-cmap)# description "This class-map matches all TCP traffic"
hostname(config-cmap)# match access-list tcp
hostname(config-cmap)# class-map all_http
hostname(config-cmap)# description "This class-map matches all HTTP traffic"
hostname(config-cmap)# match port tcp eq http
hostname(config-cmap)# class-map to_server
hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)# match access-list host_foo

Create a Layer 3/4 Class Map for Management Traffic

For management traffic to the ASA, you might want to perform actions specific to this kind of traffic.
You can specify a management class map that can match an ACL or TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
See
Procedure
Create a management class map, where class_map_name is a string up to 40 characters in length.
Step 1
class-map type management class_map_name
The name "class-default" is reserved. All types of class maps use the same name space, so you cannot
reuse a name already used by another type of class map. The CLI enters class-map configuration mode.
Example:
hostname(config)# class-map management all_udp
(Optional) Add a description to the class map.
Step 2
description string
Example:
hostname(config-cmap)# description All UDP traffic
Match traffic using one of the following commands.
Step 3
Features Configured with Service Policies, page
match access-list access_list_name—Matches traffic specified by an extended ACL. If the ASA is
operating in transparent firewall mode, you can use an EtherType ACL.
hostname(config-cmap)# match access-list udp
match port {tcp | udp} {eq port_num | range port_num port_num}—Matches TCP or UDP
destination ports, either a single port or a contiguous range of ports. For applications that use
multiple, non-contiguous ports, use the match access-list command and define an ACE to match
each port.
hostname(config-cmap)# match tcp eq 80
11-4.
Cisco ASA Series Firewall CLI Configuration Guide
Configure Service Policies
11-15

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents