Cisco ASA 5505 User Manual

Page 651

Advertising
background image

32-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Identifying Traffic (Layer 3/4 Class Maps)

match

access-list access_list_name

Example:

hostname(config-cmap)# match access-list

udp

Matches traffic specified by an extended access list. If the ASA is
operating in transparent firewall mode, you can use an EtherType
access list.

match

port {tcp | udp} {eq port_num |

range

port_num port_num}

Example:

hostname(config-cmap)# match tcp eq 80

Matches TCP or UDP destination ports, either a single port or a
contiguous range of ports.

Tip

For applications that use multiple, non-contiguous ports,
use the match access-list command and define an ACE to
match each port.

match

default-inspection-traffic

Example:

hostname(config-cmap)# match

default-inspection-traffic

Matches default traffic for inspection: the default TCP and UDP
ports used by all applications that the ASA can inspect.

This command, which is used in the default global policy, is a
special CLI shortcut that when used in a policy map, ensures that
the correct inspection is applied to each packet, based on the
destination port of the traffic. For example, when UDP traffic for
port 69 reaches the ASA, then the ASA applies the TFTP
inspection; when TCP traffic for port 21 arrives, then the ASA
applies the FTP inspection. So in this case only, you can configure
multiple inspections for the same class map (with the exception of
WAAS inspection, which can be configured with other
inspections. See the

“Incompatibility of Certain Feature Actions”

section on page 32-5

for more information about combining

actions). Normally, the ASA does not use the port number to
determine the inspection applied, thus giving you the flexibility to
apply inspections to non-standard ports, for example.

See the

“Default Settings” section on page 42-4

for a list of

default ports. Not all applications whose ports are included in the
match default-inspection-traffic command are enabled by
default in the policy map.

You can specify a match access-list command along with the
match default-inspection-traffic command to narrow the
matched traffic. Because the match default-inspection-traffic
command specifies the ports and protocols to match, any ports and
protocols in the access list are ignored.

Tip

We suggest that you only inspect traffic on ports on which
you expect application traffic; if you inspect all traffic, for
example using match any, the ASA performance can be
impacted.

match

dscp value1 [value2] [...] [value8]

Example:

hostname(config-cmap)# match dscp af43 cs1

ef

Matches DSCP value in an IP header, up to eight DSCP values.

Command

Purpose

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals