Cisco ASA 5505 User Manual
Page 665
33-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 33 Configuring Special Actions for Application Inspections (Inspection Policy Map)
Defining Actions in an Inspection Policy Map
Examples
The following is an example of an HTTP inspection policy map and the related class maps. This policy
map is activated by the Layer 3/4 policy map, which is enabled by the service policy.
hostname(config)# regex url_example example\.com
hostname(config)# regex url_example2 example2\.com
hostname(config)# class-map type regex match-any URLs
hostname(config-cmap)# match regex url_example
hostname(config-cmap)# match regex url_example2
hostname(config-cmap)# class-map type inspect http match-all http-traffic
hostname(config-cmap)# match req-resp content-type mismatch
hostname(config-cmap)# match request body length gt 1000
hostname(config-cmap)# match not request uri regex class URLs
hostname(config-cmap)# policy-map type inspect http http-map1
hostname(config-pmap)# class http-traffic
hostname(config-pmap-c)# drop-connection log
hostname(config-pmap-c)# match req-resp content-type mismatch
hostname(config-pmap-c)# reset log
hostname(config-pmap-c)# parameters
hostname(config-pmap-p)# protocol-violation action log
hostname(config-pmap-p)# policy-map test
hostname(config-pmap)# class test
(a Layer 3/4 class map not shown)
hostname(config-pmap-c)# inspect http http-map1
hostname(config-pmap-c)# service-policy test interface outside
Step 4
{[drop [send-protocol-error] |
drop-connection
[send-protocol-error]|
mask
| reset] [log] | rate-limit
message_rate}
Example:
hostname(config-pmap-c)# drop-connection
log
Specifies the action you want to perform on the matching traffic.
Not all options are available for each application. Other actions
specific to the application might also be available. See the
appropriate inspection chapter for the exact options available.
•
drop—Drops all packets that match.
•
send-protocol-error—Sends a protocol error message.
•
drop-connection—Drops the packet and closes the
connection.
•
mask—Masks out the matching portion of the packet.
•
reset—Drops the packet, closes the connection, and sends a
TCP reset to the server and/or client.
•
log—Sends a system log message. You can use log alone or
with one of the other keywords.
•
rate-limit message_rate—Limits the rate of messages.
Step 5
parameters
Example:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Configures parameters that affect the inspection engine. The CLI
enters parameters configuration mode. For the parameters
available for each application, see the appropriate inspection
chapter.
Command Purpose