Solved: MPF (Inspection Engine)

arshad_cisco86 · ‎11-23-2015

Hi All,

what about inspection,suppose we made two policy and apply on the same interface .

Q.A)one of two policy will work?

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

class-map drop_class

match access-list 101

policy-map drop_policy

class drop_class

drop

access-list 101 permit ip host 1.1.1.1 host 2.2.2.2

class-map drop_class

match access-list 101

policy-map drop_policy

class drop_class

inspect

Regards

Arshad Ayub

Rishabh Seth · ‎11-23-2015

Hi Arshad,

As per my understanding the ASA should evaluate the service policy in top to down fashion and stop evaluation after hitting the matching rule.

You can also use show service policy flowcommand to check the service policy that will be evaluated for specific traffic.

Refer this link for syntax: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s12.html#pgfId-1336197

Hope it helps.

Thanks,

Rishabh Seth