05-07-2012 10:59 AM - edited 03-11-2019 04:03 PM
According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
, the ASA is equipped with two default class-maps
class-map inspection_default
match default-inspection-traffic
and
class-map class-default
match any
The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
policy-map MyPolicy
class class-default
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)
05-07-2012 04:46 PM
Hello Collin,
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
Mike
05-08-2012 07:16 AM
So it sounds like using the class-default is not recommended unless you are doing it with QoS, Netflow, etc. yes?
If you want to inspect FTP traffic, you should do that with a layer 7 map?
05-08-2012 08:42 AM
Hi Collin,
For the FTP traffic to work properly, with the regular inspection of FTP it would do it, however, if you want to block specific information inside the FTP packets such as different types of method (PUT,GET) usernames, specific files etc, you will be needing to use Layer 7.
Cheers,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide