Guidelines and limitations, Default inspection policy maps, Defining actions in an inspection policy map – Cisco ASA 5505 User Manual

Page 662

Advertising
background image

33-2

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map)

Guidelines and Limitations

Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.

Parameters—Parameters affect the behavior of the inspection engine.

Guidelines and Limitations

HTTP inspection policy maps—If you modify an in-use HTTP inspection policy map (policy-map
type inspect http
), you must remove and reapply the inspect http map action for the changes to
take effect. For example, if you modify the “http-map” inspection policy map, you must remove and
readd the inspect http http-map command from the layer 3/4 policy:

hostname(config)# policy-map test

hostname(config-pmap)# class httpO

hostname(config-pmap-c)# no inspect http http-map

hostname(config-pmap-c)# inspect http http-map

All inspection policy maps—If you want to exchange an in-use inspection policy map for a different
map name, you must remove the inspect protocol map command, and readd it with the new map.
For example:

hostname(config)# policy-map test

hostname(config-pmap)# class sip

hostname(config-pmap-c)# no inspect sip sip-map1

hostname(config-pmap-c)# inspect sip sip-map2

Default Inspection Policy Maps

The default inspection policy map configuration includes the following commands, which sets the
maximum message length for DNS packets to be 512 bytes:

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

Note

There are other default inspection policy maps such as policy-map type inspect esmtp
_default_esmtp_map
. These default policy maps are created implicitly by the command inspect
protocol. For example, inspect esmtp implicitly uses the policy map “_default_esmtp_map.” All the
default policy maps can be shown by using the show running-config all policy-map command.

Defining Actions in an Inspection Policy Map

When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.

Restrictions

You can specify multiple class or match commands in the policy map.

Advertising