11-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
Configure Service Policies
hostname(config-cmap)# match default-inspection-traffic
This command, which is used in the default global policy, is a special CLI shortcut that when used
in a policy map, ensures that the correct inspection is applied to each packet, based on the
destination port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the
ASA applies the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the
FTP inspection. So in this case only, you can configure multiple inspections for the same class map
(with the exception of WAAS inspection, which can be configured with other inspections. See
Incompatibility of Certain Feature Actions, page 11-6 for more information about combining
actions). Normally, the ASA does not use the port number to determine the inspection applied, thus
giving you the flexibility to apply inspections to non-standard ports, for example.
See Default Inspections and NAT Limitations, page 12-6 for a list of default ports. Not all
applications whose ports are included in the match default-inspection-traffic command are
enabled by default in the policy map.
You can specify a match access-list command along with the match default-inspection-traffic
command to narrow the matched traffic. Because the match default-inspection-traffic command
specifies the ports and protocols to match, any ports and protocols in the ACL are ignored.
• match dscp value1 [value2] [...] [value8]—Matches the DSCP value in an IP header, up to eight
DSCP values.
hostname(config-cmap)# match dscp af43 cs1 ef
• match precedence value1 [value2] [value3] [value4]—Matches up to four precedence values,
represented by the TOS byte in the IP header, where value1 through value4 can be 0 to 7,
corresponding to the possible precedences.
hostname(config-cmap)# match precedence 1 4
• match rtp starting_port range—Matches RTP traffic, where the starting_port specifies an
even-numbered UDP destination port between 2000 and 65534. The range specifies the number of
additional UDP ports to match above the starting_port, between 0 and 16383.
hostname(config-cmap)# match rtp 4004 100
• match tunnel-group name—Matches VPN tunnel group traffic to which you want to apply QoS.
You can also specify one other match command to refine the traffic match. You can specify any of
the preceding commands, except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can also enter the match flow ip
destination-address command to match flows in the tunnel group going to each IP address.
hostname(config-cmap)# match tunnel-group group1
hostname(config-cmap)# match flow ip destination-address
Examples
The following is an example for the class-map command:
hostname(config)# access-list udp permit udp any any
hostname(config)# access-list tcp permit tcp any any
hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map all_udp
hostname(config-cmap)# description "This class-map matches all UDP traffic"
hostname(config-cmap)# match access-list udp
hostname(config-cmap)# class-map all_tcp
To Next Page
Loading...
Need help?
General
