11-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
Configure Service Policies
hostname(config-cmap)#
description "This class-map matches all TCP traffic"
hostname(config-cmap)#
match access-list tcp
hostname(config-cmap)#
class-map all_http
hostname(config-cmap)#
description "This class-map matches all HTTP traffic"
hostname(config-cmap)#
match port tcp eq http
hostname(config-cmap)#
class-map to_server
hostname(config-cmap)#
description "This class-map matches all traffic to server 10.1.1.1"
hostname(config-cmap)#
match access-list host_foo
Create a Layer 3/4 Class Map for Management Traffic
For management traffic to the ASA, you might want to perform actions specific to this kind of traffic.
You can specify a management class map that can match an ACL or TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
See
Features Configured with Service Policies, page 11-4
.
Procedure
Step 1
Create a management class map, where
class_map_name
is a string up to 40 characters in length.
class-map
type management
class_map_name
The name “class-default” is reserved. All types of class maps use the same name space, so you cannot
reuse a name already used by another type of class map. The CLI enters class-map configuration mode.
Example:
hostname(config)# class-map management all_udp
Step 2
(Optional) Add a description to the class map.
description
string
Example:
hostname(config-cmap)# description All UDP traffic
Step 3
Match traffic using one of the following commands.
•
match
access-list
access_list_name
—Matches traffic specified by an extended ACL. If the ASA is
operating in transparent firewall mode, you can use an EtherType ACL.
hostname(config-cmap)# match access-list udp
•
match
port
{
tcp
|
udp
} {
eq
port_num
|
range
port_num
port_num
}—Matches TCP or UDP
destination ports, either a single port or a contiguous range of ports. For applications that use
multiple, non-contiguous ports, use the
match access-list
command and define an ACE to match
each port.
hostname(config-cmap)# match tcp eq 80
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......