You see why it matters below
I had such nice class-map this in my config: user-entries in red
class-map type inspect match-any Internet_basic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol pop3
match protocol imap
match protocol user-RDP
match protocol ntp
match protocol ssh
match protocol user-RDP-Standaard
match protocol mysql
match protocol user-NavisionSite
match protocol user-NavisionClient
match protocol ftp
match protocol user-DirectAdmin
Now look how I had to mangle this, get it to work
Worst of all: I needed lo lie about the service!
ie: oem-agent = user-RDP
cisco-sys = not cisco sys at all, it is = user-NavisionSite
class-map type inspect match-any Internet_basic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol pop3
match protocol imap
match protocol oem-agent
match protocol ntp
match protocol ssh
match protocol mysql
match protocol cisco-sys
match protocol cisco-svcs
match protocol ftp
match protocol creativeserver
You see?
Of cours I could also use access-lists, but this is much more elegent and readble
But not without the possibility to add your own entries!