https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435217#M733125 <P><SPAN style="font-family: verdana,geneva;">Hello,</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;">I'm new to comm/firewall-related things. I have a new customer that has an ASA 5505.</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;">This ASA doesn't have any class-map or policy-map statements in its config. From what I've read there is, by default in an ASA 5505, the following configuration...</SPAN></P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect dns preset_dns_map <BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect esmtp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect skinny&nbsp; <BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect xdmcp <BR />&nbsp; inspect sip&nbsp; <BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />!<BR />service-policy global_policy global</SPAN></P><P></P><P></P><P><SPAN style="font-family: verdana,geneva;">The only problem I notice from the missing stuff is that FTP doesn't work (clients from the inside can't access or download files from FTP-servers on the internet). I've managed to solve this with the following configuration...</SPAN></P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">class-map FTP-traffic<BR />&nbsp;&nbsp; match port tcp eq ftp</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">policy-map FTP-policy<BR />&nbsp;&nbsp; class FTP-traffic<BR />&nbsp;&nbsp; inspect ftp</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">service-policy FTP-policy interface outside</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;"><BR />My question is should I recreate the default class-map and policy-map? What functionality do they provide... can they introduce any latency or other problems?</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;"><BR />Thanks in advance</SPAN></P> Mon, 11 Mar 2019 17:54:16 GMT goAtsyNasdaq 2019-03-11T17:54:16Z https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435217#M733125 <P><SPAN style="font-family: verdana,geneva;">Hello,</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;">I'm new to comm/firewall-related things. I have a new customer that has an ASA 5505.</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;">This ASA doesn't have any class-map or policy-map statements in its config. From what I've read there is, by default in an ASA 5505, the following configuration...</SPAN></P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR />&nbsp; inspect dns preset_dns_map <BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect esmtp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect skinny&nbsp; <BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect xdmcp <BR />&nbsp; inspect sip&nbsp; <BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />!<BR />service-policy global_policy global</SPAN></P><P></P><P></P><P><SPAN style="font-family: verdana,geneva;">The only problem I notice from the missing stuff is that FTP doesn't work (clients from the inside can't access or download files from FTP-servers on the internet). I've managed to solve this with the following configuration...</SPAN></P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">class-map FTP-traffic<BR />&nbsp;&nbsp; match port tcp eq ftp</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">policy-map FTP-policy<BR />&nbsp;&nbsp; class FTP-traffic<BR />&nbsp;&nbsp; inspect ftp</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: verdana,geneva; font-size: 8pt;">service-policy FTP-policy interface outside</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;"><BR />My question is should I recreate the default class-map and policy-map? What functionality do they provide... can they introduce any latency or other problems?</SPAN></P><P></P><P><SPAN style="font-family: verdana,geneva;"><BR />Thanks in advance</SPAN></P> Mon, 11 Mar 2019 17:54:16 GMT https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435217#M733125 goAtsyNasdaq 2019-03-11T17:54:16Z https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435218#M733143 <HTML><HEAD></HEAD><BODY><P>You do not need to configure the default policy map inspection if none of the default protocols are needed in your environment.</P><P></P><P>Here is the description of each inspection protocol for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 03 Jun 2010 09:18:21 GMT https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435218#M733143 Jennifer Halim 2010-06-03T09:18:21Z https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435219#M733155 <HTML><HEAD></HEAD><BODY><P>Thanks for your answer</P><P></P><P>Currently FTP and DNS are the only protocols in the default-inspection-list that is permitted outbound in the firewall configuration. I think I´ll go ahead and enable the defaults anyway.</P></BODY></HTML> Thu, 03 Jun 2010 12:40:33 GMT https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435219#M733155 goAtsyNasdaq 2010-06-03T12:40:33Z https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435220#M733166 <HTML><HEAD></HEAD><BODY><P>Yes, definitely. Go ahead and enable the default inspection policy.</P></BODY></HTML> Thu, 03 Jun 2010 12:52:01 GMT https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435220#M733166 Jennifer Halim 2010-06-03T12:52:01Z https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435221#M733183 <HTML><HEAD></HEAD><BODY><P></P><P>According to this link <A class="jive-link-external-small" href="http://www.pingafrica.org/node/135">http://www.pingafrica.org/node/135</A> I configure my CISCO OIOS (tm) C1700 Software (C1700-Y-M), Version 12.3(17a), router to filter HTML trafic. It works perfectly.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Could you tell me how to configure it to not filter traffic for specific IP addresses ex. administrators and other privileged users in my network?</P><P></P><P>Thanks a lot..</P><P></P></BODY></HTML> Mon, 05 Jul 2010 10:21:08 GMT https://community.cisco.com/t5/network-security/default-class-policy-maps/m-p/1435221#M733183 naumoskivladimir 2010-07-05T10:21:08Z