Feature matching for multiple service policies, Licensing requirements for service policies, Guidelines and limitations – Cisco ASA 5505 User Manual

Page 644

Advertising
background image

32-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Licensing Requirements for Service Policies

Feature Matching for Multiple Service Policies

For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies
operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that
matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a
policy on another interface; only the first policy is used.

For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.

For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while
the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound,
but will match virtual sensor 2 inbound.

Licensing Requirements for Service Policies

Specific features may have separate license requirements. See the feature chapter for more information.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

IPv6 Guidelines

Supports IPv6 for the following features:

Application inspection for FTP, HTTP, ICMP, SIP, SMTP and IPsec-pass-thru, and IPv6.

ASA IPS

ASA CX

NetFlow Secure Event Logging filtering

TCP and UDP connection limits and timeouts, TCP sequence number randomization

TCP normalization

TCP state bypass

Model

License Requirement

All models

Base License.

Advertising