29-9
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 29 Configuring a Service Policy
Adding a Service Policy Rule for Through Traffic
Step 2 In the Create a Service Policy and Apply To area, click one of the following options:
• Interface. This option applies the service policy to a single interface. Interface service policies take
precedence over the global service policy for a given feature. For example, if you have a global
policy with FTP inspection, and an interface policy with TCP connection limits, then both FTP
inspection and TCP connection limits are applied to the interface. However, if you have a global
policy with FTP inspection, and an interface policy with FTP inspection, then only the interface
policy FTP inspection is applied to that interface.
a. Choose an interface from the drop-down list.
If you choose an interface that already has a policy, then the wizard lets you add a new service
policy rule to the interface.
b. If it is a new service policy, enter a name in the Policy Name field.
c. (Optional) Enter a description in the Description field.
• Global - applies to all interfaces. This option applies the service policy globally to all interfaces.
By default, a global policy exists that includes a service policy rule for default application
inspection. See the “Default Settings” section on page 29-7 for more information. You can add a rule
to the global policy using the wizard.
Step 3 Click Next.
The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.
Step 4 Click one of the following options to specify the traffic to which to apply the policy actions:
• Create a new traffic class. Enter a traffic class name in the Create a new traffic class field, and enter
an optional description.
Identify the traffic using one of several criteria:
–
Default Inspection Traffic—The class matches the default TCP and UDP ports used by all
applications that the adaptive security appliance can inspect.
This option, which is used in the default global policy, is a special shortcut that when used in a
rule, ensures that the correct inspection is applied to each packet, based on the destination port
of the traffic. For example, when UDP traffic for port 69 reaches the adaptive security appliance,
then the adaptive security appliance applies the TFTP inspection; when TCP traffic for port 21
arrives, then the adaptive security appliance applies the FTP inspection. So in this case only,
you can configure multiple inspections for the same rule (See the “Incompatibility of Certain
Feature Actions” section on page 29-5 for more information about combining actions).
Normally, the adaptive security appliance does not use the port number to determine the
inspection applied, thus giving you the flexibility to apply inspections to non-standard ports, for
example.
See the “Default Settings” section on page 36-3 for a list of default ports. The adaptive security
appliance includes a default global policy that matches the default inspection traffic, and applies
common inspections to the traffic on all interfaces. Not all applications whose ports are included
in the Default Inspection Traffic class are enabled by default in the policy map.
You can specify a Source and Destination IP Address (uses ACL) class along with the Default
Inspection Traffic class to narrow the matched traffic. Because the Default Inspection Traffic
class specifies the ports and protocols to match, any ports and protocols in the access list are
ignored.
–
Source and Destination IP Address (uses ACL)—The class matches traffic specified by an
extended access list. If the adaptive security appliance is operating in transparent firewall mode,
you can use an EtherType access list.
To Next Page
Loading...
Need help?
General
