Cisco ASA Series Cli Configuration Manual page 1075
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring a Service Policy Using the Modular Policy Framework
Command
match any
Example:
hostname(config-cmap)# match any
match access-list access_list_name
Example:
hostname(config-cmap)# match access-list
udp
match port {tcp | udp} {eq port_num |
range port_num port_num}
Example:
hostname(config-cmap)# match tcp eq 80
match default-inspection-traffic
Example:
hostname(config-cmap)# match
default-inspection-traffic
Purpose
Matches all traffic.
Matches traffic specified by an extended access list. If the ASA is
operating in transparent firewall mode, you can use an EtherType
access list.
Matches TCP or UDP destination ports, either a single port or a
contiguous range of ports.
Tip
For applications that use multiple, non-contiguous ports,
use the match access-list command and define an ACE to
match each port.
Matches default traffic for inspection: the default TCP and UDP
ports used by all applications that the ASA can inspect.
This command, which is used in the default global policy, is a
special CLI shortcut that when used in a policy map, ensures that
the correct inspection is applied to each packet, based on the
destination port of the traffic. For example, when UDP traffic for
port 69 reaches the ASA, then the ASA applies the TFTP
inspection; when TCP traffic for port 21 arrives, then the ASA
applies the FTP inspection. So in this case only, you can configure
multiple inspections for the same class map (with the exception of
WAAS inspection, which can be configured with other
inspections. See the
"Incompatibility of Certain Feature Actions"
section on page 1-5
for more information about combining
actions). Normally, the ASA does not use the port number to
determine the inspection applied, thus giving you the flexibility to
apply inspections to non-standard ports, for example.
See the
"Default Settings" section on page 1-4
ports. Not all applications whose ports are included in the match
default-inspection-traffic command are enabled by default in the
policy map.
You can specify a match access-list command along with the
match default-inspection-traffic command to narrow the
matched traffic. Because the match default-inspection-traffic
command specifies the ports and protocols to match, any ports and
protocols in the access list are ignored.
Tip
We suggest that you only inspect traffic on ports on which
you expect application traffic; if you inspect all traffic, for
example using match any, the ASA performance can be
impacted.
Cisco ASA Series CLI Configuration Guide
Identifying Traffic (Layer 3/4 Class Maps)
for a list of default
1-13
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
