1-4
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Special Actions for Application Inspections (Inspection Policy Map)
Defining Actions in an Inspection Policy Map
Note There are other default inspection policy maps such as _default_esmtp_map. For example, inspect
esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown
by using the show running-config all policy-map command.
Defining Actions in an Inspection Policy Map
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.
Detailed Steps
Command Purpose
Step 1
(Optional)
Create an inspection class map.
See the “Identifying Traffic in an Inspection Class Map” section
on page 1-5.
Alternatively, you can identify the traffic directly within the
policy map.
Step 2
(Optional)
Create a regular expression.
For policy map types that support regular expressions, see the
“Defining Actions in an Inspection Policy Map” section on
page 1-4 in the general operations configuration guide.
Step 3
policy-map type inspect application
policy_map_name
Example:
hostname(config)# policy-map type inspect
http http_policy
Creates the inspection policy map. See the “Configuring
Application Layer Protocol Inspection” section on page 1-7 for a
list of applications that support inspection policy maps.
The policy_map_name argument is the name of the policy map up
to 40 characters in length. All types of policy maps use the same
name space, so you cannot reuse a name already used by another
type of policy map. The CLI enters policy-map configuration
mode.
Step 4
Specify the traffic on which you want to perform actions using one of the following methods:
class class_map_name
Example:
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)#
Specifies the inspection class map that you created in the
“Identifying Traffic in an Inspection Class Map” section on
page 1-5.
Not all applications support inspection class maps.
Specify traffic directly in the policy map using
one of the match commands described for each
application in the inspection chapter.
Example:
hostname(config-pmap)# match req-resp
content-type mismatch
hostname(config-pmap-c)#
If you use a match not command, then any traffic that matches the
criterion in the match not command does not have the action
applied.
For policy map types that support regular expressions, see the
“Defining Actions in an Inspection Policy Map” section on
page 1-4 in the general operations configuration guide.
To Next Page
Loading...
Need help?
General
