07-19-2007 12:10 PM - edited 03-11-2019 03:46 AM
I'm trying to block MSN and Yahoo! messenger file transfers, while still allowing chat and other services. The problem I get is when I try to apply the inspect rules in my policy I get an error that I can't have multiple inspect rules
Error:
==============
ASA01(config)# policy-map MyInsidePolicy
ASA01(config-pmap)# class ALL
ASA01(config-pmap-c)# inspect http WebMSN
ASA01(config-pmap-c)# inspect im BlockMSN
ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.
ASA01(config-pmap-c)#
==============
This is my config so far:
==============
class-map ALL
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect http WebMSN
parameters
protocol-violation action drop-connection
class _default_msn-messenger
drop-connection log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
policy-map type inspect im BlockMSN
description To Block MSN
parameters
match service file-transfer
drop-connection log
policy-map type inspect im BlockYahoo
parameters
match service file-transfer
drop-connection log
policy-map MyInsidePolicy
class ALL
inspect http WebMSN
!
service-policy global_policy global
==============
I also get this:
==============
ASA01(config-pmap-c)# class-map ALL
ASA01(config-cmap)# match default-inspection-traffic
ERROR: This match command can only coexist with 'match access-list'
ASA01(config-cmap)#
==============
What is the proper way to accomplish this?
07-25-2007 01:27 PM
I think you should create a seperate class for all the protocols that you want to inspect and then group all these classes under a policy-map and then apply this to the interface using service-policy command. You may also try adding the "match default-inspection-traffic" command to the associate class-map. After doing this, you will be allowed to add the additional inspect statements to the same policy-map, however this is not how the config should be done and you may get erors at some later stage. I think it will be better to use Websense server to block the MSN or Yahoo file transfer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide