cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2813
Views
0
Helpful
3
Replies
benny
Beginner

ASA Interface/global Service policy

Hi All...

My ASA have a default Global Service policy where it does Inspection.

And i wish to know is that if i apply an Interface Service policy which does MSS Exceed Allow for only HTTP/HTTPS/SMTP.

Is the ASA still doing the default Inspection as it's stated that it will override the default policy?

Rgds

1 ACCEPTED SOLUTION

Accepted Solutions

Yes, that should work.

Alternatively, you might want to turn it on for the whole box:

tcp-map mss-map

exceed-mss allow

class-map match-any

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect

service-policy global_policy global

Feel free to ping me @ work on sametime if you have more questions.

--Jason

View solution in original post

3 REPLIES 3
David White
Cisco Employee

The default policy will still take affect. The interface policy will also be used. If there is a conflict between the two policies, then the more specific Interface policy wins.

Sincerely,

David.

PS> If this answers your questions, please don't forget to check the box so we can cross this off our list.

Hi David..

Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?

A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.

access-list MSS extended permit tcp any any eq www

!

tcp-map TCPMSS

exceed-mss allow

class-map inspection_default

match default-inspection-traffic

class-map MSS-MAP

match access-list MSS

!

!

policy-map global_policy

class inspection_default

inspect http

policy-map SPHMSS-MAP

class SPHMSS-MAP

set connection advanced-options TCPMSS

!

service-policy global_policy global

service-policy MSS-MAP interface outside

Tks & Rgds

Yes, that should work.

Alternatively, you might want to turn it on for the whole box:

tcp-map mss-map

exceed-mss allow

class-map match-any

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect

service-policy global_policy global

Feel free to ping me @ work on sametime if you have more questions.

--Jason

Create
Recognize Your Peers
Content for Community-Ad