29-3
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 29 Configuring a Service Policy
Information About Service Policies
Note When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See
Table 29-2 for the directionality of each feature.
Feature Matching Within a Service Policy
See the following information for how a packet matches rules in a policy for a given interface:
1. A packet can match only one rule for an interface for each feature type.
2. When the packet matches a rule for a feature type, the adaptive security appliance does not attempt
to match it to any subsequent rules for that feature type.
3. If the packet matches a subsequent rule for a different feature type, however, then the adaptive
security appliance also applies the actions for the subsequent rule, if supported. See the
“Incompatibility of Certain Feature Actions” section on page 29-5 for more information about
unsupported combinations.
For example, if a packet matches a rulefor connection limits, and also matches a rule for application
inspection, then both actions are applied.
If a packet matches a rulefor HTTP inspection, but also matches another rule that includes HTTP
inspection, then the second rule actions are not applied.
Note Application inspection includes multiple inspection types, and each inspection type is a separate feature
when you consider the matching guidelines above.
Table 29-2 Feature Directionality
Feature Single Interface Direction Global Direction
Application inspection (multiple types) Bidirectional Ingress
CSC Bidirectional Ingress
IPS Bidirectional Ingress
NetFlow Secure Event Logging filtering N/A Ingress
QoS input policing Ingress Ingress
QoS output policing Egress Egress
QoS standard priority queue Egress Egress
QoS traffic shaping, hierarchical priority
queue
Egress Egress
TCP and UDP connection limits and timeouts,
and TCP sequence number randomization
Bidirectional Ingress
TCP normalization Bidirectional Ingress
TCP state bypass Bidirectional Ingress
To Next Page
Loading...
Need help?
General
