Cisco ASA 5505 User Manual

Page 658

Advertising
background image

32-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Configuration Examples for Modular Policy Framework

hostname(config)# policy-map http_traffic_policy

hostname(config-pmap)# class http_traffic

hostname(config-pmap-c)# inspect http

hostname(config)# service-policy http_traffic_policy global

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

In this example (see

Figure 32-3

), any HTTP connection destined for Server A (TCP traffic on port 80)

that enters the ASA through the outside interface is classified for HTTP inspection and maximum
connection limits. Connections initiated from Server A to Host A does not match the access list in the
class map, so it is not affected.

Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified
for HTTP inspection. Connections initiated from Server B to Host B does not match the access list in the
class map, so it is not affected.

Figure 32-3

HTTP Inspection and Connection Limits to Specific Servers

See the following commands for this example:

hostname(config)# object network obj-192.168.1.2

hostname(config-network-object)# host 192.168.1.2

hostname(config-network-object)# nat (inside,outside) static 209.165.201.1

hostname(config)# object network obj-192.168.1.0

hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0

hostname(config-network-object)# nat (inside,outside) dynamic 209.165.201.2

hostname(config)# access-list serverA extended permit tcp any host 209.165.201.1 eq 80

hostname(config)# access-list ServerB extended permit tcp any host 209.165.200.227 eq 80

hostname(config)# class-map http_serverA

hostname(config-cmap)# match access-list serverA

hostname(config)# class-map http_serverB

hostname(config-cmap)# match access-list serverB

hostname(config)# policy-map policy_serverA

hostname(config-pmap)# class http_serverA

hostname(config-pmap-c)# inspect http

hostname(config-pmap-c)# set connection conn-max 100

hostname(config)# policy-map policy_serverB

hostname(config-pmap)# class http_serverB

hostname(config-pmap-c)# inspect http

inside

outside

Server A

Real Address: 192.168.1.2

Mapped Address: 209.165.201.1

Host B

Real Address: 192.168.1.1

Mapped Address: 209.165.201.2:

port

Host A

209.165.200.226

Server B

209.165.200.227

port 80

port 80

insp.

insp.

set conns

143357

Security

appliance

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals