2-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)
Defining Actions in an Inspection Policy Map
Defining Actions in an Inspection Policy Map
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.
Detailed Steps
Command Purpose
Step 1
(Optional)
Create an inspection class map.
See
Identifying Traffic in an Inspection Class Map, page 2-5
.
Alternatively, you can identify the traffic directly within the
policy map.
Step 2
(Optional)
Create a regular expression.
For policy map types that support regular expressions, see the
general operations configuration guide.
Step 3
policy-map type inspect
application
policy_map_name
Example:
hostname(config)# policy-map type inspect
http http_policy
Creates the inspection policy map. See
Layer Protocol Inspection, page 6-9
for a list of applications that
support inspection policy maps.
The
policy_map_name
argument is the name of the policy map up
to 40 characters in length. All types of policy maps use the same
name space, so you cannot reuse a name already used by another
type of policy map. The CLI enters policy-map configuration
mode.
Step 4
Specify the traffic on which you want to perform actions using one of the following methods:
class
class_map_name
Example:
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)#
Specifies the inspection class map that you created in the
Identifying Traffic in an Inspection Class Map, page 2-5
Not all applications support inspection class maps.
Specify traffic directly in the policy map using
one of the
match
commands described for each
application in the inspection chapter.
Example:
hostname(config-pmap)# match req-resp
content-type mismatch
hostname(config-pmap-c)#
If you use a
match not
command, then any traffic that matches the
criterion in the
match not
command does not have the action
applied.
For policy map types that support regular expressions, see the
general operations configuration guide.
Step 5
action
Example:
hostname(config-pmap-c)# drop-connection
log
Specifies the action you want to perform on the matching traffic.
Actions vary depending on the inspection and match type.
Common actions include:
drop
,
log
, and
drop-connection
. For
the actions available for each match, see the appropriate
inspection chapter.
Step 6
parameters
Example:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Configures parameters that affect the inspection engine. The CLI
enters parameters configuration mode. For the parameters
available for each application, see the appropriate inspection
chapter.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...