Cisco ASA Series Cli Configuration Manual page 1067

Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list may not include
all incompatibilities; for information about compatibility of each feature, see the chapter or section for
your feature:
•
•
•
•
•
Note
The match default-inspection-traffic command, which is used in the default global policy, is a special
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
This traffic class does not include the default ports for Cloud Web Security inspection (80 and 443).
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In
mistakenly configured for both FTP and HTTP inspection. In
mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration examples,
only the FTP inspection is applied, because FTP comes before HTTP in the order of inspections applied.
Example 1-1
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
policy-map test
class ftp
class http
Example 1-2
class-map ftp
match port tcp eq 80
class-map http
match port tcp eq 80
policy-map test
class http
You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
Most inspections should not be combined with another inspection, so the ASA only applies one
inspection if you configure multiple inspections for the same traffic. HTTP inspection can be
combined with the Cloud Web Security inspection. Other exceptions are listed in the
Which Multiple Feature Actions are Applied" section on page
You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.
HTTP inspection is not compatible with the ASA CX.
The ASA CX is not compatible with Cloud Web Security.
Misconfiguration for FTP packets: HTTP Inspection Also Configured
[it should be 80]
inspect ftp
inspect http
Misconfiguration for HTTP packets: FTP Inspection Also Configured
[it should be 21]
inspect http
Information About Service Policies
1-4.
Example 1-1, traffic destined to port 21 is
Example 1-2, traffic destined to port 80 is
Cisco ASA Series CLI Configuration Guide
"Order in
1-5