Solved: Global service policy on ASA 8.3(2)

rdessert · ‎07-12-2011

I recently started working for a new company and am learning their environment. They have an HA pair of ASA 5580-20's running 8.3(2) code.

I have worked quite a bit with ASA's in the past, mostly running 7.2(4) and 8.2 trains. I was surprised when looking through the config of the 5580 that there is no global service policy. I thought that ASA's came out of the box with a global service policy containing inspect rules for common protocols such as ftp, skinny, sunrpc etc.

Like follows...

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

service-policy global_policy global

I know there are a lot of changes in 8.3(2), is the lack of a global service policy one of them? How then are things like FTP inspection being performed etc.

Thanks for any feedback...

Rich

lusandi · ‎07-13-2011

Rich,

I hope you are diong great,

I would like to let you know that the global policy should be configured on the same way, there is not difference, for example this is one I just took for one of our ASA's Here:

Cisco Adaptive Security Appliance Software Version 8.3(2)

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

!

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

I hope this will be helpful.

Regards,

Luis Sandi

View solution in original post

varrao · ‎07-12-2011

Hi Rich,

You can never be sure wat config would you already have on a device, 8.3 very much has the same global policiess used as in previous versions, but we cannot eb sure wat a device would be pre-configured with.

Thanks,

Varun

Thanks,
Varun Rao

rdessert · ‎07-13-2011

Hi Varun,

Thanks for taking the time to reply.

I understand that configs can be different after a box ships and the admin configures it. My question is related to the base config that Cisco ships a box with 8.3(2) code with.

Maybe this will help clarify.... I have configured numerous ASA's straight out of the box shipped direct from Cisco with earlier code versions on them (been a couple years) and as I recall part of the base config was always a global service policy with common ports such as ftp, skinny etc.

Since the firewalls I am now managing inherited firewalls and trying to understand their config, I noticed there is no global service policy at all and being new to 8.3 code, I'm just trying to see if there are any differences in the way global policy is configured / handled.

I find it odd that there would be no global policy with inspect rules for FTP, skinny, sunrpc etc.

Thanks,

Rich

lusandi · ‎07-13-2011

Rich,

I hope you are diong great,

I would like to let you know that the global policy should be configured on the same way, there is not difference, for example this is one I just took for one of our ASA's Here:

Cisco Adaptive Security Appliance Software Version 8.3(2)

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

!

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

I hope this will be helpful.

Regards,

Luis Sandi

rdessert · ‎07-13-2011

Thanks Luis... The network admin before me must have removed the global service policy.