Cisco ASA 5506-X Configuration Manual page 32
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Defining Actions in an Inspection Policy Map
Defining Actions in an Inspection Policy Map
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.
Detailed Steps
Command
Step 1
(Optional)
Create an inspection class map.
Step 2
(Optional)
Create a regular expression.
Step 3
policy-map type inspect application
policy_map_name
Example:
hostname(config)# policy-map type inspect
http http_policy
Step 4
Specify the traffic on which you want to perform actions using one of the following methods:
class class_map_name
Example:
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)#
Specify traffic directly in the policy map using
one of the match commands described for each
application in the inspection chapter.
Example:
hostname(config-pmap)# match req-resp
content-type mismatch
hostname(config-pmap-c)#
Step 5
action
Example:
hostname(config-pmap-c)# drop-connection
log
Step 6
parameters
Example:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Cisco ASA Series Firewall CLI Configuration Guide
2-4
Chapter 2
Special Actions for Application Inspections (Inspection Policy Map)
Purpose
See
Identifying Traffic in an Inspection Class Map, page
Alternatively, you can identify the traffic directly within the
policy map.
For policy map types that support regular expressions, see the
general operations configuration guide.
Creates the inspection policy map. See
Layer Protocol Inspection, page 6-9
support inspection policy maps.
The policy_map_name argument is the name of the policy map up
to 40 characters in length. All types of policy maps use the same
name space, so you cannot reuse a name already used by another
type of policy map. The CLI enters policy-map configuration
mode.
Specifies the inspection class map that you created in the
Identifying Traffic in an Inspection Class Map, page
Not all applications support inspection class maps.
If you use a match not command, then any traffic that matches the
criterion in the match not command does not have the action
applied.
For policy map types that support regular expressions, see the
general operations configuration guide.
Specifies the action you want to perform on the matching traffic.
Actions vary depending on the inspection and match type.
Common actions include: drop, log, and drop-connection. For
the actions available for each match, see the appropriate
inspection chapter.
Configures parameters that affect the inspection engine. The CLI
enters parameters configuration mode. For the parameters
available for each application, see the appropriate inspection
chapter.
2-5.
Configure Application
for a list of applications that
2-5.
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
