Applying actions to an interface (service policy), Applying actions to, Accrding to – Cisco ASA 5505 User Manual

Page 655: Applying actions to an interface (service

Advertising
background image

32-17

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 32 Configuring a Service Policy Using the Modular Policy Framework

Applying Actions to an Interface (Service Policy)

The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:

hostname(config)# class-map telnet_traffic

hostname(config-cmap)# match port tcp eq 23

hostname(config)# class-map ftp_traffic

hostname(config-cmap)# match port tcp eq 21

hostname(config)# class-map tcp_traffic

hostname(config-cmap)# match port tcp range 1 65535

hostname(config)# class-map udp_traffic

hostname(config-cmap)# match port udp range 0 65535

hostname(config)# policy-map global_policy

hostname(config-pmap)# class telnet_traffic

hostname(config-pmap-c)# set connection timeout idle 0:0:0

hostname(config-pmap-c)# set connection conn-max 100

hostname(config-pmap)# class ftp_traffic

hostname(config-pmap-c)# set connection timeout idle 0:5:0

hostname(config-pmap-c)# set connection conn-max 50

hostname(config-pmap)# class tcp_traffic

hostname(config-pmap-c)# set connection timeout idle 2:0:0

hostname(config-pmap-c)# set connection conn-max 2000

When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is
initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the ASA does
not make this match because they previously matched other classes.

Applying Actions to an Interface (Service Policy)

To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or
that applies it globally to all interfaces.

Restrictions

You can only apply one global policy, so if you want to alter the global policy, you need to either edit
the default policy or disable it and apply a new one. By default, the configuration includes a global policy
that matches all default application inspection traffic and applies inspection to the traffic globally. The
default service policy includes the following command:

service-policy global_policy global

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals