Professional Documents
Culture Documents
SNPA50SL09
SNPA50SL09
Policy Framework
Lesson 9
Internet
Site C
Site B
Internet
Site C
Site B
Site C
Site B
Define matching
attributes 384 kbps 384 kbps
asa1(config)# class-map SE
asa1(config-cmap)# match tunnel-group SE
asa1(config-cmap)# match flow ip destination-address
asa1(config-cmap)# exit
asa1(config)# class-map S2S_VOICE
asa1(config-cmap)# match tunnel-group SITE_C
asa1(config-cmap)# match dscp cs5
Internet
Site C
Site B
CSC
Identify traffic to be scanned by using an access list match criterion in a class map.
Use the csc command to:
– Instruct the Cisco ASA CSC SSM to scan traffic specified in the class map.
– Specify how the ASA security appliance should handle matching traffic when the
Cisco ASA CSC SSM is not available.
ciscoasa(config-pmap-c)#
csc { fail-close | fail-open }
Internet
inspect: Keyword to set inspection policy
asa1(config-pmap-c)# help inspect
USAGE:
[no] inspect gtp <gtp_map>
[no] inspect mgcp <mgcp_map>
[no] inspect http <http_map>
[no] inspect snmp <snmp_map>
[no] inspect ftp [strict] [ftp_map]
[no] inspect dcerpc [dcerpc_map]
[no] inspect icmp
[no] inspect icmp error
[no] inspect h323 ras|h225
[no] inspect dns maximum-length <max_pkt_len>
[no] inspect netbios [netbios_map]
[no] inspect pptp |sunrpc | ctiqbe | ils | rsh | rtsp | sip |
skinny | esmtp | sqlnet | xdmcp | tftp | ipsec-pass-thru. . .
Internet
IPS
Internet
IPS
ciscoasa(config-pmap-c)#
IPS {inline | promiscuous} {fail-close | fail-open}
SE T1
Internet
SE T1
Internet
Internet
Site to Site
Site to Site
Site C
Site B
Internet
Site to Site
Site to Site
Site C
Site B
Internet
Site C
Site B
Internet
ciscoasa(config)#
set connection {advanced-options tcp_map_name | conn-max
conn_max | embryonic-conn-max econn_max | per-client-max
conn_max | per-client-embryonic-max econn_max | random-
sequence-number {enable | disable}}
Internet
Site C
Site B
asa1# show running-config policy-map
!
policy-map INSIDE_POLICY
class OUTBOUND
csc fail-close
policy-map OUTSIDE_POLICY
class INTERNET
ips inline fail-open
class SE
police output 56000 10500
class S2S_VOICE
priority
. . .
Internet
Site C
Site B
ciscoasa(config)#
service-policy policy_map_name {global | interface if_name}
Internet
Interface outside:
Service-policy: OUTSIDE_POLICY
Class-map: INTERNET
IPS: card-status Up, mode inline fail-open
packet input 0, packet output 0, drop 0, reset-drop 0
Class-map: SE
Output police Interface outside:
cir 56000 bps, bc 10500 bytes
conformed 0 packets, 0 bytes; actions: transmit
exceeded 0 packets, 0 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: S2S_VOICE
Priority:
. . .