https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182665#M835234 <HTML><HEAD></HEAD><BODY><P>Presently I do not see a way to achieve this in the ASA/PIX or FWSM platform. </P><P></P><P>You can however do this for dns inspection.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130</A></P><P></P><P></P></BODY></HTML> Mon, 01 Jun 2009 11:42:19 GMT Kureli Sankar 2009-06-01T11:42:19Z https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182662#M835231 <P>Hi All, </P><P></P><P>I have an ASA that has an OUTSIDE interface connected to the Internet, and an INSIDE interface connected to my LAN. </P><P>I enter the following commands on the ASA: </P><P></P><P>access-list 105 extended deny icmp any any</P><P></P><P>class-map ICMP</P><P> match access-list 105</P><P></P><P>policy-map ICMP</P><P> class ICMP</P><P></P><P>service-policy ICMP interface INSIDE</P><P></P><P>I thought that if I applied these commands, then the ICMP packets are going to be dropped, but that's not the case.</P><P>Are these commands doing anything on the ASA and can I drop packets by using CLASS-MAPS and POLICY-MAPS instead of using ACCESS-LISTS? </P><P></P><P>Thank you!</P><P>Federico.</P> Mon, 11 Mar 2019 15:37:47 GMT https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182662#M835231 fedecotofaja 2019-03-11T15:37:47Z https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182663#M835232 <HTML><HEAD></HEAD><BODY><P>Those command are not doing anything.</P><P></P><P>You need to permit the traffic in the access-list for it to be matched in the class-map and then specify what you want done for those matched packets like inspect icmp. </P><P></P><P>The best place to deny icmp is by applying an access-list IN on the inside interface and permitting everything else.</P><P></P><P>example:</P><P></P><P>access-list inside-acl deny icmp any any</P><P>access-list inside-acl permit ip any any</P><P></P><P>access-group inside-acl in int inside</P><P></P><P>I hope this helps.</P><P></P><P></P></BODY></HTML> Sat, 30 May 2009 00:11:00 GMT https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182663#M835232 Kureli Sankar 2009-05-30T00:11:00Z https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182664#M835233 <HTML><HEAD></HEAD><BODY><P>Great Thank you!</P><P></P><P>What if I want to permit ICMP PING packets but only of certain size? </P><P></P><P>Can I accomplish that with the CLASS-MAPS and POLICY-MAPS?</P><P></P><P>Thank you!</P></BODY></HTML> Sat, 30 May 2009 16:42:43 GMT https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182664#M835233 fedecotofaja 2009-05-30T16:42:43Z https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182665#M835234 <HTML><HEAD></HEAD><BODY><P>Presently I do not see a way to achieve this in the ASA/PIX or FWSM platform. </P><P></P><P>You can however do this for dns inspection.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1719130</A></P><P></P><P></P></BODY></HTML> Mon, 01 Jun 2009 11:42:19 GMT https://community.cisco.com/t5/network-security/help-with-application-inspection-on-asa/m-p/1182665#M835234 Kureli Sankar 2009-06-01T11:42:19Z