Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
0
Replies

More than one SFR class map

michaellperrin
Level 1
Level 1

‎11-10-2016 05:42 AM - edited ‎03-12-2019 01:31 AM

Is it possible to have more than one SFR class map?

For example 

ciscoasa(config)# access-list sfr_redirect extended permit ip 192.168.100.0 255.255.255.0 any
ciscoasa(config)# access-list sfr_redirect-mon extended permit ip any any

ciscoasa(config)# class-map sfr
ciscoasa(config-cmap)# match access-list sfr_redirect

ciscoasa(config)# class-map sfr-mon
ciscoasa(config-cmap)# match access-list sfr_redirect-mon

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr
ciscoasa(config-pmap-c)# sfr fail-open

ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class sfr-mon
ciscoasa(config-pmap-c)# sfr fail-open monitor-only

This way anything that matches the sfr_redirect ACL I can block traffic on the SFR module, however everything else will just be monitor only.

I know the ASA will take the multiple SFR class maps in the global policy map. I just want to make sure it will function as I picture it will.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card