Identifying traffic in an inspection class map, Identifying traffic in – Cisco ASA 5505 User Manual

Page 666

Advertising
background image

33-6

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map)

Identifying Traffic in an Inspection Class Map

Identifying Traffic in an Inspection Class Map

This type of class map allows you to match criteria that is specific to an application. For example, for
DNS traffic, you can match the domain name in a DNS query.

A class map groups multiple traffic matches (in a match-all class map), or lets you match any of a list of
matches (in a match-any class map). The difference between creating a class map and defining the traffic
match directly in the inspection policy map is that the class map lets you group multiple match
commands, and you can reuse class maps. For the traffic that you identify in this class map, you can
specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map.
If you want to perform different actions on different types of traffic, you should identify the traffic
directly in the policy map.

Restrictions

Not all applications support inspection class maps. See the CLI help for class-map type inspect for a
list of supported applications.

Detailed Steps

Command

Purpose

Step 1

(Optional)

Create a regular expression.

See the

“Creating a Regular Expression” section on page 13-12

and the

“Creating a Regular Expression Class Map” section on

page 13-15

.

Step 2

class-map type

inspect application

[match-all | match-any] class_map_name

Example:

hostname(config)# class-map type inspect

http http_traffic

hostname(config-cmap)#

Creates an inspection class map, where the application is the
application you want to inspect. For supported applications, see
the CLI help for a list of supported applications or see

Chapter 42,

“Getting Started with Application Layer Protocol Inspection.”

The class_map_name argument is the name of the class map up to
40 characters in length.

The match-all keyword is the default, and specifies that traffic
must match all criteria to match the class map.

The match-any keyword specifies that the traffic matches the
class map if it matches at least one of the criteria.

The CLI enters class-map configuration mode, where you can
enter one or more match commands.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals