Information about inspection policy maps, C h a p t e r – Cisco ASA 5505 User Manual

Page 661

Advertising
background image

C H A P T E R

33-1

Cisco ASA 5500 Series Configuration Guide using the CLI

33

Configuring Special Actions for Application
Inspections (Inspection Policy Map)

Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map. When the inspection policy map matches traffic within the Layer
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted
upon as specified (for example, dropped or rate-limited).

This chapter includes the following sections:

Information About Inspection Policy Maps, page 33-1

Guidelines and Limitations, page 33-2

Default Inspection Policy Maps, page 33-2

Defining Actions in an Inspection Policy Map, page 33-2

Identifying Traffic in an Inspection Class Map, page 33-6

Where to Go Next, page 33-7

Information About Inspection Policy Maps

See the

“Configuring Application Layer Protocol Inspection” section on page 42-6

for a list of

applications that support inspection policy maps.

An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.

Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.

Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.

Inspection class map—(Not available for all applications. See the CLI help for a list of supported
applications.) An inspection class map includes traffic matching commands that match application
traffic with criteria specific to the application, such as a URL string. You then identify the class map
in the policy map and enable actions. The difference between creating a class map and defining the
traffic match directly in the inspection policy map is that you can create more complex match criteria
and you can reuse class maps.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals