Cisco Systems ASA 5580 Manual De Usuario
2-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map)
Defining Actions in an Inspection Policy Map
Note
There are other default inspection policy maps such as _default_esmtp_map. For example, inspect
esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown
by using the show running-config all policy-map command.
esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown
by using the show running-config all policy-map command.
Defining Actions in an Inspection Policy Map
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable
actions as defined in an inspection policy map.
actions as defined in an inspection policy map.
Detailed Steps
Command Purpose
Step 1
(Optional)
Create an inspection class map.
See the
.
Alternatively, you can identify the traffic directly within the
policy map.
policy map.
Step 2
(Optional)
Create a regular expression.
For policy map types that support regular expressions, see the
general operations configuration guide.
general operations configuration guide.
Step 3
policy-map type inspect
application
policy_map_name
Example:
ciscoasa(config)# policy-map type inspect
http http_policy
Creates the inspection policy map. See the
list of applications that support inspection policy maps.
The policy_map_name argument is the name of the policy map up
to 40 characters in length. All types of policy maps use the same
name space, so you cannot reuse a name already used by another
type of policy map. The CLI enters policy-map configuration
mode.
to 40 characters in length. All types of policy maps use the same
name space, so you cannot reuse a name already used by another
type of policy map. The CLI enters policy-map configuration
mode.
Step 4
Specify the traffic on which you want to perform actions using one of the following methods:
class
class_map_name
Example:
ciscoasa(config-pmap)# class http_traffic
ciscoasa(config-pmap-c)#
Specifies the inspection class map that you created in the
.
Not all applications support inspection class maps.
Specify traffic directly in the policy map using
one of the match commands described for each
application in the inspection chapter.
one of the match commands described for each
application in the inspection chapter.
Example:
ciscoasa(config-pmap)# match req-resp
content-type mismatch
ciscoasa(config-pmap-c)#
If you use a match not command, then any traffic that matches the
criterion in the match not command does not have the action
applied.
criterion in the match not command does not have the action
applied.
For policy map types that support regular expressions, see the
general operations configuration guide.
general operations configuration guide.