1-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Service Policy Using the Modular Policy Framework
Configure Service Policies
hostname(config-pmap)#
class telnet_traffic
hostname(config-pmap-c)#
set connection timeout idle 0:0:0
hostname(config-pmap-c)#
set connection conn-max 100
hostname(config-pmap)#
class ftp_traffic
hostname(config-pmap-c)#
set connection timeout idle 0:5:0
hostname(config-pmap-c)#
set connection conn-max 50
hostname(config-pmap)#
class tcp_traffic
hostname(config-pmap-c)#
set connection timeout idle 2:0:0
hostname(config-pmap-c)#
set connection conn-max 2000
When a Telnet connection is initiated, it matches
class telnet_traffic
. Similarly, if an FTP connection is
initiated, it matches
class ftp_traffic
. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic
. Even though a Telnet or FTP connection can match
class tcp_traffic
, the ASA does
not make this match because they previously matched other classes.
Apply Actions to an Interface (Service Policy)
To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or
that applies it globally to all interfaces. Use the following command:
service-policy
policy_map_name
{
global
|
interface
interface_name
}
[
fail-close
]
Where:
•
policy_map_name
is the name of the policy map.
•
global
creates a service policy that applies to all interfaces that do not have a specific policy.
You can only apply one global policy, so if you want to alter the global policy, you need to either
edit the default policy or disable it and apply a new one. By default, the configuration includes a
global policy that matches all default application inspection traffic and applies inspection to the
traffic globally. The default service policy includes the following command:
service-policy
global_policy global
.
•
interface
interface_name
creates a service policy by associating a policy map with an interface.
•
fail-close
generates a syslog (767001) for IPv6 traffic that is dropped by application inspections that
do not support IPv6 traffic. By default, syslogs are not generated. For a list of inspections that
support IPv6, see
.
Examples
For example, the following command enables the inbound_policy policy map on the outside interface:
hostname(config)#
service-policy inbound_policy interface outside
The following commands disable the default global policy, and enables a new one called
new_global_policy on all other ASA interfaces:
hostname(config)#
no service-policy global_policy global
hostname(config)#
service-policy new_global_policy global
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...