Cisco 7604 Configuration Guide - Page 382
Configuring Special Actions for Application Inspections (Inspection Policy Map
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 382 highlights
Configuring Special Actions for Application Inspections (Inspection Policy Map) Chapter 20 Using Modular Policy Framework This command, which is used in the default global policy, is a special CLI shortcut that when used in a policy map, ensures that the correct inspection is applied to each packet, based on the destination port of the traffic. For example, when UDP traffic for port 69 reaches the FWSM, then the FWSM applies the TFTP inspection; when TCP traffic for port 21 arrives, then the FWSM applies the FTP inspection. So in this case only, you can configure multiple inspections for the same class map (with the exception of WAAS inspection, which can be configured with other inspections. See the "Incompatibility of Certain Feature Actions" section on page 20-17 for more information about combining actions). Normally, the FWSM does not use the port number to determine the inspection applied, thus giving you the flexibility to apply inspections to non-standard ports, for example. See the "Default Inspection Policy" section on page 22-4 for a list of default ports. The FWSM includes a default global policy that matches the default inspection traffic, and applies common inspections to the traffic on all interfaces. Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map. You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports and protocols to match, any ports or protocols in the access list are ignored. The following is an example for the class-map command: hostname(config)# access-list udp permit udp any any hostname(config)# access-list tcp permit tcp any any hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255 hostname(config)# class-map all_udp hostname(config-cmap)# description "This class-map matches all UDP traffic" hostname(config-cmap)# match access-list udp hostname(config-cmap)# class-map all_tcp hostname(config-cmap)# description "This class-map matches all TCP traffic" hostname(config-cmap)# match access-list tcp hostname(config-cmap)# class-map all_http hostname(config-cmap)# description "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo Configuring Special Actions for Application Inspections (Inspection Policy Map) Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map. When the inspection policy map matches traffic within the Layer 3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited). This section includes the following topics: • Inspection Policy Map Overview, page 20-7 20-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01