Cisco Systems ASA 5580 Manual De Usuario
1-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Information About Service Policies
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list may not include
all incompatibilities; for information about compatibility of each feature, see the chapter or section for
your feature:
all incompatibilities; for information about compatibility of each feature, see the chapter or section for
your feature:
•
You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
•
Most inspections should not be combined with another inspection, so the ASA only applies one
inspection if you configure multiple inspections for the same traffic. HTTP inspection can be
combined with the Cloud Web Security inspection. Other exceptions are listed in the
inspection if you configure multiple inspections for the same traffic. HTTP inspection can be
combined with the Cloud Web Security inspection. Other exceptions are listed in the
•
You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.
•
HTTP inspection is not compatible with the ASA CX.
•
The ASA CX is not compatible with Cloud Web Security.
Note
The match default-inspection-traffic command, which is used in the default global policy, is a special
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map
ensures that the correct inspection is applied to each packet, based on the destination port of the traffic.
For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
This traffic class does not include the default ports for Cloud Web Security inspection (80 and 443).
An example of a misconfiguration is if you configure multiple inspections in the same policy map and
do not use the default-inspection-traffic shortcut. In
do not use the default-inspection-traffic shortcut. In
, traffic destined to port 21 is
mistakenly configured for both FTP and HTTP inspection. In
, traffic destined to port 80 is
mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration examples,
only the FTP inspection is applied, because FTP comes before HTTP in the order of inspections applied.
only the FTP inspection is applied, because FTP comes before HTTP in the order of inspections applied.
Example 1-1
Misconfiguration for FTP packets: HTTP Inspection Also Configured
class-map ftp
match port tcp eq 21
class-map http
match port tcp eq 21
[it should be 80]
policy-map test
class ftp
inspect ftp
class http
inspect http
Example 1-2
Misconfiguration for HTTP packets: FTP Inspection Also Configured
class-map ftp
match port tcp eq 80
[it should be 21]
class-map http
match port tcp eq 80
policy-map test
class http
inspect http