11-19
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
Examples for Service Policies (Modular Policy Framework)
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# police output 250000
hostname(config)# service-policy http_traffic_policy interface outside
Applying Inspection to HTTP Traffic Globally
In this example, any HTTP connection (TCP traffic on port 80) that enters the ASA through any interface
is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the
traffic enters each interface.
Figure 11-2 Global HTTP Inspection
See the following commands for this example:
hostname(config)# class-map http_traffic
hostname(config-cmap)# match port tcp eq 80
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy http_traffic_policy global
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers
In this example, any HTTP connection destined for Server A (TCP traffic on port 80) that enters the ASA
through the outside interface is classified for HTTP inspection and maximum connection limits.
Connections initiated from Server A to Host A do not match the ACL in the class map, so they are not
affected.
Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified
for HTTP inspection. Connections initiated from Server B to Host B do not match the ACL in the class
map, so they are not affected.
inside
port 80
outside
A
Host A
Host B
port 80
insp.
insp.
Security
appliance
143414
To Next Page
Loading...
Need help?
General
