1-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Service Policy Using the Modular Policy Framework
About Service Policies
The Components of a Service Policy
The point of service policies is to apply advanced services to the traffic you are allowing. Any traffic
permitted by access rules can have service policies applied, and thus receive special processing, such as
being redirected to a service module or having application inspection applied.
You can have these types of service policy:
•
One global policy that gets applied to all interfaces.
•
One service policy applied per interface. The policy can be a mix of classes for traffic going through
the device and management traffic directed at the ASA interface rather than going through it,
Each service policy is composed of the following elements:
1.
Service policy map, which is the ordered set of rules, and is named on the
service-policy
command.
In ASDM, the policy map is represented as a folder on the Service Policy Rules page.
2.
Rules, each rule being a
class
command within the service policy map and the commands associated
with the
class
command. In ASDM, each rule is shown on a separate row, and the name of the rule
is the class name.
a.
The
class
command defines the traffic matching criteria for the rule.
b.
The commands associated with class, such as
inspect
,
set connection timeout
, and so forth,
define the services and constraints to apply to matching traffic. Note that inspect commands can
point to inspection policy maps, which define actions to apply to inspected traffic. Keep in mind
that inspection policy maps are not the same as service policy maps.
The following example compares how service policies appear in the CLI with how they appear in ASDM.
Note that there is not a one-to-one mapping between the figure call-outs and lines in the CLI.
The following CLI is generated by the rules shown in the figure above.
: Access lists used in class maps.
: In ASDM, these map to call-out 3, from the Match to the Time fields.
access-list inside_mpc line 1 extended permit tcp 10.100.10.0 255.255.255.0 any eq sip
access-list inside_mpc_1 line 1 extended deny udp host 10.1.1.15 any eq snmp
access-list inside_mpc_1 line 2 extended permit udp 10.1.1.0 255.255.255.0 any eq snmp
access-list inside_mpc_2 line 1 extended permit icmp any any
:
SNMP map for SNMP inspection. Denies all by v3.
: In ASDM, this maps to call-out 4, rule actions, for the class-inside policy.
snmp-map snmp-v3only
deny version 1
deny version 2
deny version 2c
: Inspection policy map to define SIP behavior.
: The sip-high inspection policy map must be referred to by an inspect sip command
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......