Define Actions (Layer 3/4 Policy Map) - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure Service Policies
Define Actions (Layer 3/4 Policy Map)
After you configure Layer 3/4 class maps to identify traffic, use a Layer 3/4 policy map to associate
actions to those classes.
The maximum number of policy maps is 64, but you can only apply one policy map per interface.
Tip
Procedure
Add the policy map: policy-map policy_map_name
Step 1
Where policy_map_name argument is the name of the policy map, up to 40 characters in length. All types
of policy maps use the same name space, so you cannot reuse a name already used by another type of
policy map. The CLI enters policy-map configuration mode.
Example:
hostname(config)# policy-map global_policy
Specify a previously configured Layer 3/4 class map: class class_map_name
Step 2
Where the class_map_name is the name of the class map.
See
Example:
hostname(config-pmap)# class all-http
Specify one or more actions for this class map.
Step 3
See
Note
Repeat the process for each class map you want to include in this policy map.
Step 4
Examples
The following is an example of a policy-map command for a connection policy. It limits the number of
connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1
hostname(config)# class-map http-server
hostname(config-cmap)# match access-list http-server
hostname(config)# policy-map global-policy
hostname(config-pmap)# description This policy map defines a policy concerning connection
to http server.
hostname(config-pmap)# class http-server
hostname(config-pmap-c)# set connection conn-max 256
The following example shows how multi-match works in a policy map:
hostname(config)# class-map inspection_default
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
Cisco ASA Series Firewall CLI Configuration Guide
11-16
Identify Traffic (Layer 3/4 Class Maps), page 11-13
Features Configured with Service Policies, page
If there is no match default-inspection-traffic command in a class map, then at most one
inspect command is allowed to be configured under the class.
Chapter 11
Service Policy Using the Modular Policy Framework
to add a class map.
11-4.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
