11-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
About Service Policies
You can have these types of service policy:
•
One global policy that gets applied to all interfaces.
•
One service policy applied per interface. The policy can be a mix of classes for traffic going through
the device and management traffic directed at the ASA interface rather than going through it,
Each service policy is composed of the following elements:
1.
Service policy map, which is the ordered set of rules, and is named on the
service-policy
command.
In ASDM, the policy map is represented as a folder on the Service Policy Rules page.
2.
Rules, each rule being a
class
command within the service policy map and the commands associated
with the
class
command. In ASDM, each rule is shown on a separate row, and the name of the rule
is the class name.
a.
The
class
command defines the traffic matching criteria for the rule.
b.
The commands associated with class, such as
inspect
,
set connection timeout
, and so forth,
define the services and constraints to apply to matching traffic. Note that inspect commands can
point to inspection policy maps, which define actions to apply to inspected traffic. Keep in mind
that inspection policy maps are not the same as service policy maps.
The following example compares how service policies appear in the CLI with how they appear in ASDM.
Note that there is not a one-to-one mapping between the figure call-outs and lines in the CLI.
The following CLI is generated by the rules shown in the figure above.
: Access lists used in class maps.
: In ASDM, these map to call-out 3, from the Match to the Time fields.
access-list inside_mpc line 1 extended permit tcp 10.100.10.0 255.255.255.0 any eq sip
access-list inside_mpc_1 line 1 extended deny udp host 10.1.1.15 any eq snmp
access-list inside_mpc_1 line 2 extended permit udp 10.1.1.0 255.255.255.0 any eq snmp
access-list inside_mpc_2 line 1 extended permit icmp any any
:
SNMP map for SNMP inspection. Denies all but v3.
: In ASDM, this maps to call-out 4, rule actions, for the class-inside policy.
snmp-map snmp-v3only
deny version 1
deny version 2
deny version 2c
: Inspection policy map to define SIP behavior.
: The sip-high inspection policy map must be referred to by an inspect sip command
: in the service policy map.
: In ASDM, this maps to call-out 4, rule actions, for the sip-class-inside policy.
policy-map type inspect sip sip-high
parameters
rtp-conformance enforce-payloadtype
no traffic-non-sip
software-version action mask log
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......