Incompatibility Of Certain Feature Actions - Cisco 7604 Configuration Manual

Chapter 20 Using Modular Policy Framework

Incompatibility of Certain Feature Actions

Some features are not compatible with each other for the same traffic. For example, you cannot configure
PISA integration and inspections for the same set of traffic. Also, most inspections should not be
combined with another inspection, so the FWSM only applies one inspection if you configure multiple
inspections for the same traffic. In this case, the feature that is applied is the higher priority feature in
the list in the
For information about compatibility of each feature, see the chapter or section for your feature.
The match default-inspection-traffic command, which is used in the default global policy, is a special
Note
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the FWSM, then the FWSM applies the TFTP
inspection; when TCP traffic for port 21 arrives, then the FWSM applies the FTP inspection. So in this
case only, you can configure multiple inspections for the same class map. Normally, the FWSM does not
use the port number to determine the inspection applied, thus giving you the flexibility to apply
inspections to non-standard ports, for example.
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In
mistakenly configured for both FTP and HTTP inspection. In
is mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration
examples, only the FTP inspection is applied, because FTP comes before HTTP in the order of
inspections applied.
Example 20-1 Misconfiguration for FTP packets: HTTP Inspection Also Configured
class-map ftp
match port tcp 21
class-map http
match port tcp 21
policy-map test
class ftp
class http
Example 20-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured
class-map ftp
match port tcp 80
class-map http
match port tcp 80
policy-map test
class http
class ftp
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
"Order in Which Multiple Feature Actions are Applied" section on page
[it should be 80]
inspect ftp
inspect http
[it should be 21]
inspect http
inspect ftp
Defining Actions (Layer 3/4 Policy Map)
Example 20-1, traffic destined to port 21 is
Example 20-2, traffic destined to port 80
20-16.
20-17