06-15-2016 07:55 PM - edited 03-12-2019 12:53 AM
HI experts,
I am wondering what's the specialty of the class-map class inspection_default
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
I am not able to figure out how that class-map and the inspect command below that work together. :(
CF
06-15-2016 08:02 PM
Hi,
So when we create a policy-map we need to configure the
Here is an example:
policy-map <NAME>
class <CLASS1>
<feature1>
class <CLASS2>
<feature2>
By
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-15-2016 08:48 PM
Yes, I understand that. I have seen that class-map inspection_default is matching default-inspection-traffic. Can you please share more info about default-inspection-traffic?
I have see the config of default-inspection-traffic as follows:
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
I am not able to understand what does this mean. Does this mean all these protocols are inspected by default? How the inspection works with default policy.
CF
06-16-2016 09:59 AM
Any help would be appreciated.
CF
06-16-2016 04:54 PM
Hi,
By
Regards,
Aditya
Please rate helpful posts and mark correct answers.
06-17-2016 09:00 AM
The default-inspection-traffic list show ICMP too, does that also inspected? This is confusing me.
When I tested in lab, I had to manually specify the ICMP inspect command in policy-map.
05-11-2020 11:13 AM
class-map inspection_default
match default-inspection-traffic
here you label the traffic(ftp, dns, tftp and so on) as "inspection_default"
after this with policy-map you tel what to do with that traffic
guess what inspect
if you look at in policy-map inspect icmp is missing (that is why ping won't work)
if you add inspect icmp after :
policy-map global_policy
class inspection_default
inspect icmp
icmp will go from higher security level to lower security level and back, but...
icmp originating from lower security level interface will not pass the firewall to the higher sec level
05-11-2020 11:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide