Apply Actions To An Interface (Service Policy) - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 11
Service Policy Using the Modular Policy Framework
hostname(config)# policy-map outside_policy
hostname(config-pmap)# class inspection_default
hostname(config-pmap-c)# inspect http http_map
hostname(config-pmap-c)# inspect sip
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# set connection timeout idle 0:10:0
The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic
hostname(config-cmap)# match port tcp eq 23
hostname(config)# class-map ftp_traffic
hostname(config-cmap)# match port tcp eq 21
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match port tcp range 1 65535
hostname(config)# class-map udp_traffic
hostname(config-cmap)# match port udp range 0 65535
hostname(config)# policy-map global_policy
hostname(config-pmap)# class telnet_traffic
hostname(config-pmap-c)# set connection timeout idle 0:0:0
hostname(config-pmap-c)# set connection conn-max 100
hostname(config-pmap)# class ftp_traffic
hostname(config-pmap-c)# set connection timeout idle 0:5:0
hostname(config-pmap-c)# set connection conn-max 50
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# set connection timeout idle 2:0:0
hostname(config-pmap-c)# set connection conn-max 2000
When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is
initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the ASA does
not make this match because they previously matched other classes.
Apply Actions to an Interface (Service Policy)
To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or
that applies it globally to all interfaces. Use the following command:
service-policy policy_map_name {global | interface interface_name} [fail-close]
Where:
•
•
•
•
policy_map_name is the name of the policy map.
global creates a service policy that applies to all interfaces that do not have a specific policy.
You can only apply one global policy, so if you want to alter the global policy, you need to either
edit the default policy or disable it and apply a new one. By default, the configuration includes a
global policy that matches all default application inspection traffic and applies inspection to the
traffic globally. The default service policy includes the following command: service-policy
global_policy global.
interface interface_name creates a service policy by associating a policy map with an interface.
fail-close generates a syslog (767001) for IPv6 traffic that is dropped by application inspections that
do not support IPv6 traffic. By default, syslogs are not generated.
Cisco ASA Series Firewall CLI Configuration Guide
Configure Service Policies
11-17
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
