09-30-2008 05:40 AM - edited 03-11-2019 06:51 AM
Please tech me the following config line.
"service-policy global_policy global"
Is this configuration necessity?
If I delete the configuration line, I have any troubles about FireWall Technology???
09-30-2008 06:13 AM
Hi Shigenori,
This line applies your global_policy policy-map to all active interfaces on your ASA. So, any traffic that comes in on any interface will be subject to the inspection rules defined by your global_policy (assuming it matches a class-map).
Without seeing the rest of your configuration, it is impossible to say how removing this line will affect your firewall. Take a look at the output of 'show run' (or 'show run | b class-map) and 'show service-policy' to see the inspection rules that are applied to this policy.
Hope that helps.
-Mike
09-30-2008 07:53 AM
Hi Mike,
Thank you for your technical advice about global policy.
current configuation is following.
class-map line is default configuration.
ASA Version 8.0(3)
!
hostname asa5510sample
domain-name sample-sm.jp
enable password
names
!
interface Ethernet0/0
nameif outside
security-level 100
pppoe client vpdn group GPPPOE
ip address 121.186.XXX.XXX 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.XXX.XXX 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.XXX.XXX 255.255.255.0
!
passwd
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone JST 9
dns domain-lookup outside
dns server-group DefaultDNS
name-server 121.113.XXX.XXX
domain-name sample-sm.jp
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in_1 extended permit ip any any
access-list http-list2 extended permit tcp any any
!
tcp-map mss-map
exceed-mss allow
!
pager lines 24
logging enable
logging asdm informational
mtu outside 1454
mtu inside 1454
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.100.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.2.0 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0
nat (inside) 1 192.168.20.0 255.255.255.0
nat (management) 1 172.16.100.0 255.255.255.0
access-group inside_access_in_1 in interface inside
route inside 10.0.0.0 255.255.255.0 192.168.0.252 1
route management 172.16.100.2 255.255.255.255 172.16.100.1 2
route inside 192.168.1.0 255.255.255.0 192.168.0.252 1
route inside 192.168.2.0 255.255.255.0 192.168.0.252 1
route inside 192.168.3.0 255.255.255.0 192.168.0.252 1
route inside 192.168.20.0 255.255.255.0 192.168.0.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 172.16.100.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group GPPPOE request dialout pppoe
vpdn group GPPPOE localname XXXXsample
@XXXXXX.XXX.ne.jp
vpdn group GPPPOE ppp authentication chap
vpdn username XXXXsample@XXXXXX.XXX.ne.jp password *********
threat-detection basic-threat
threat-detection statistics access-list
username asapri password
!
class-map global-class
match any
!
!
policy-map global-policy
class global-class
csc fail-open
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXeba14c1bd38444ae90113925
: end
I'm waiting for your more advice.
Thanks.
09-30-2008 08:03 AM
from the above config it sounds u have CSC-SSM module
the class-map global-class
match any traffic
and the send it to the CSC for inspection
and it is applied on the globla thats mean the traffic wil be send to the csc for inspection when flow from allinterfaces
csc fail-open mean that if the csc fail the ASA will continue pass traffic wihthout inspection from csc
fo rbetter performance u need to send more spesific traffic rathar than all
have a look at the following link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml
good luck
if helpful Rate
09-30-2008 08:21 AM
Thank you for your technical advices.
In fact, if I delete "service-policy global_policy global" line, FireWall can not send to the traffic for csc inspection ???
Please your advices!
Thanks.
09-30-2008 08:25 AM
ofcourse
this policy seted up to send traffic to CSC-SSM
and for more details see the link i posted to u includ evrything u need regarding ASA with CSC
if helpful Rate
09-30-2008 06:16 AM
ok
this policy is related to what is know apllication inspection
in older pix it was like fixup command
this inspection make the firewall work with those protocols staefully
forexample
with ftp the ports 20 and 21 only for negotiation between the client and server after that they negociate a port for the transfere
if u disable the ftp inspection the firewall wil block that negociated port number which is randamly unless u open hug number of port and in the case will not be a secure firewall
the same with voip protocols liek
h323, sccp
with http u can inspect the http header make inspection policies
the global mean this policy will work on all interfaces
if u make a ploicy in a speicific interface it will take prefrence to the global one
i would suggest u never disable this policy becuase u will get unexpected error and problems
good luck
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide