Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
2
Replies

Two Different Policy Map with same inspect

Go to solution
mahesh18
Level 6
Level 6

‎07-14-2013 01:37 AM - edited ‎03-11-2019 07:11 PM

Hi Everyone,

I know we can have only 1 global policy on ASA that apply to all the interfaces.

Say we have global policy map that has FTP checked for inspection.

ASA1#                                   sh run policy-map

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

ASA1#  sh run class-map

!

class-map inspection_default

description Class MAP name is inspection_default

match default-inspection-traffic

Above we have default class and inspection.

For testing purposes i create another class and policy map and apply to DMZ interface

class-map Class-DMZ

        description TEST

        match default-inspection-traffic

      policy-map DMZ-FTP

        description TEST

        class Class-DMZ

          inspect ftp

      service-policy DMZ-FTP interface DMZ.

Now we have same FTP inspection under global and DMZ interface.

How does and under which order FTP inspection works?

Regards

MAhesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7

‎07-14-2013 02:31 AM

Interface-specific inspection rules always take precednece over those in the global policy, if applied to the same traffic class (class-map). So for FTP inspection in your case the service policy, applied to the DMZ interface will take care of FTP traffic.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Andrew Phirsov
Level 7
Level 7

‎07-14-2013 02:31 AM

Interface-specific inspection rules always take precednece over those in the global policy, if applied to the same traffic class (class-map). So for FTP inspection in your case the service policy, applied to the DMZ interface will take care of FTP traffic.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Andrew Phirsov

‎07-14-2013 11:14 AM

Many thanks Andrew

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card