Two Different Policy Map with same inspect

mahesh18 — Tue, 12 Mar 2019 02:11:55 GMT

Hi Everyone,

I know we can have only 1 global policy on ASA that apply to all the interfaces.

Say we have global policy map that has FTP checked for inspection.

ASA1# sh run policy-map

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

ASA1# sh run class-map

class-map inspection_default

description Class MAP name is inspection_default

match default-inspection-traffic

Above we have default class and inspection.

For testing purposes i create another class and policy map and apply to DMZ interface

class-map Class-DMZ

description TEST

match default-inspection-traffic

policy-map DMZ-FTP

description TEST

class Class-DMZ

inspect ftp

service-policy DMZ-FTP interface DMZ.

Now we have same FTP inspection under global and DMZ interface.

How does and under which order FTP inspection works?

Regards

MAhesh

Re: Two Different Policy Map with same inspect

Andrew Phirsov — Sun, 14 Jul 2013 09:31:15 GMT

Interface-specific inspection rules always take precednece over those in the global policy, if applied to the same traffic class (class-map). So for FTP inspection in your case the service policy, applied to the DMZ interface will take care of FTP traffic.

Two Different Policy Map with same inspect

mahesh18 — Sun, 14 Jul 2013 18:14:04 GMT

Many thanks Andrew

Regards

Mahesh

topic Two Different Policy Map with same inspect in Network Security

Two Different Policy Map with same inspect

Re: Two Different Policy Map with same inspect

Two Different Policy Map with same inspect