topic Re: ASA Interface/global Service policy in Network Security https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795532#M1008146 <HTML><HEAD></HEAD><BODY><P>Hi David..</P><P></P><P>Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?</P><P>A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.</P><P></P><P>access-list MSS extended permit tcp any any eq www </P><P>!</P><P>tcp-map TCPMSS</P><P> exceed-mss allow</P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map MSS-MAP</P><P> match access-list MSS</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default </P><P> inspect http </P><P></P><P>policy-map SPHMSS-MAP</P><P> class SPHMSS-MAP</P><P> set connection advanced-options TCPMSS</P><P>!</P><P>service-policy global_policy global</P><P>service-policy MSS-MAP interface outside</P><P></P><P>Tks &amp; Rgds</P><P></P><P></P><P></P></BODY></HTML> Thu, 05 Apr 2007 14:39:46 GMT benny 2007-04-05T14:39:46Z ASA Interface/global Service policy https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795530#M1008144 <P>Hi All...</P><P></P><P>My ASA have a default Global Service policy where it does Inspection.</P><P>And i wish to know is that if i apply an Interface Service policy which does MSS Exceed Allow for only HTTP/HTTPS/SMTP.</P><P>Is the ASA still doing the default Inspection as it's stated that it will override the default policy?</P><P></P><P>Rgds</P> Mon, 11 Mar 2019 09:56:29 GMT https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795530#M1008144 benny 2019-03-11T09:56:29Z Re: ASA Interface/global Service policy https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795531#M1008145 <HTML><HEAD></HEAD><BODY><P>The default policy will still take affect. The interface policy will also be used. If there is a conflict between the two policies, then the more specific Interface policy wins.</P><P></P><P>Sincerely,</P><P></P><P>David.</P><P></P><P>PS&gt; If this answers your questions, please don't forget to check the box so we can cross this off our list.</P></BODY></HTML> Thu, 05 Apr 2007 14:29:41 GMT https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795531#M1008145 David White 2007-04-05T14:29:41Z Re: ASA Interface/global Service policy https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795532#M1008146 <HTML><HEAD></HEAD><BODY><P>Hi David..</P><P></P><P>Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?</P><P>A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.</P><P></P><P>access-list MSS extended permit tcp any any eq www </P><P>!</P><P>tcp-map TCPMSS</P><P> exceed-mss allow</P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map MSS-MAP</P><P> match access-list MSS</P><P>!</P><P>!</P><P>policy-map global_policy</P><P> class inspection_default </P><P> inspect http </P><P></P><P>policy-map SPHMSS-MAP</P><P> class SPHMSS-MAP</P><P> set connection advanced-options TCPMSS</P><P>!</P><P>service-policy global_policy global</P><P>service-policy MSS-MAP interface outside</P><P></P><P>Tks &amp; Rgds</P><P></P><P></P><P></P></BODY></HTML> Thu, 05 Apr 2007 14:39:46 GMT https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795532#M1008146 benny 2007-04-05T14:39:46Z Re: ASA Interface/global Service policy https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795533#M1008148 <HTML><HEAD></HEAD><BODY><P>Yes, that should work.</P><P></P><P>Alternatively, you might want to turn it on for the whole box:</P><P></P><P>tcp-map mss-map</P><P> exceed-mss allow</P><P></P><P>class-map match-any</P><P> match any</P><P></P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P></P><P>policy-map global_policy</P><P> class match-any</P><P> set connection advanced-options mss-map</P><P> </P><P>class inspection_default</P><P> inspect ftp </P><P> inspect icmp</P><P> inspect whateveryouwanttoinspect</P><P></P><P>service-policy global_policy global </P><P></P><P>Feel free to ping me @ work on sametime if you have more questions.</P><P></P><P>--Jason</P><P></P><P></P></BODY></HTML> Thu, 05 Apr 2007 14:57:37 GMT https://community.cisco.com/t5/network-security/asa-interface-global-service-policy/m-p/795533#M1008148 jgervia_2 2007-04-05T14:57:37Z