Incompatibility of certain feature actions, Incompatibility of, Incompatibility of certain feature – Cisco ASA 5505 User Manual
Page 643
32-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 32 Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list may not include
all incompatibilities; for information about compatibility of each feature, see the chapter or section for
your feature:
•
You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
•
Most inspections should not be combined with another inspection, so the ASA only applies one
inspection if you configure multiple inspections for the same traffic. The only exceptions are listed
in the
“Order in Which Multiple Feature Actions are Applied” section on page 32-4
.
•
You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.
•
HTTP inspection is not compatible with the ASA CX.
Note
The match default-inspection-traffic command, which is used in the default global policy, is a special
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In
, traffic destined to port 21 is
mistakenly configured for both FTP and HTTP inspection. In
, traffic destined to port 80
is mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration
examples, only the FTP inspection is applied, because FTP comes before HTTP in the order of
inspections applied.
Example 32-1 Misconfiguration for FTP packets: HTTP Inspection Also Configured
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
[it should be 80]
policy-map test
class ftp
inspect ftp
class http
inspect http
Example 32-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured
class-map ftp
match port tcp eq 80
[it should be 21]
class-map http
match port tcp eq 80
policy-map test
class http
inspect http
class ftp
inspect ftp