Cisco Systems and the ASA Services Module Manual De Usuario
1-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Identifying Traffic (Layer 3/4 Class Maps)
Examples
The following is an example for the class-map command:
ciscoasa(config)# access-list udp permit udp any any
ciscoasa(config)# access-list tcp permit tcp any any
ciscoasa(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255
ciscoasa(config)# class-map all_udp
ciscoasa(config-cmap)# description "This class-map matches all UDP traffic"
ciscoasa(config-cmap)# match access-list udp
ciscoasa(config-cmap)# class-map all_tcp
ciscoasa(config-cmap)# description "This class-map matches all TCP traffic"
ciscoasa(config-cmap)# match access-list tcp
ciscoasa(config-cmap)# class-map all_http
ciscoasa(config-cmap)# description "This class-map matches all HTTP traffic"
ciscoasa(config-cmap)# match port tcp eq http
ciscoasa(config-cmap)# class-map to_server
ciscoasa(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1"
ciscoasa(config-cmap)# match access-list host_foo
Creating a Layer 3/4 Class Map for Management Traffic
For management traffic to the ASA, you might want to perform actions specific to this kind of traffic.
You can specify a management class map that can match an ACL or TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
See the
You can specify a management class map that can match an ACL or TCP or UDP ports. The types of
actions available for a management class map in the policy map are specialized for management traffic.
See the
.
match precedence
value1 [value2] [value3]
[value4]
Example:
hostname(config-cmap)# match precedence 1
4
Matches up to four precedence values, represented by the TOS
byte in the IP header, where value1 through value4 can be 0 to 7,
corresponding to the possible precedences.
byte in the IP header, where value1 through value4 can be 0 to 7,
corresponding to the possible precedences.
match rtp
starting_port range
Example:
hostname(config-cmap)# match rtp 4004 100
Matches RTP traffic, where the starting_port specifies an
even-numbered UDP destination port between 2000 and 65534.
The range specifies the number of additional UDP ports to match
above the starting_port, between 0 and 16383.
even-numbered UDP destination port between 2000 and 65534.
The range specifies the number of additional UDP ports to match
above the starting_port, between 0 and 16383.
match tunnel-group
name
(Optional)
match flow ip destination-address
Example:
hostname(config-cmap)# match tunnel-group
group1
hostname(config-cmap)# match flow ip
destination-address
Matches VPN tunnel group traffic to which you want to apply
QoS.
QoS.
You can also specify one other match command to refine the
traffic match. You can specify any of the preceding commands,
except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can also enter the
match flow ip destination-address command to match flows in
the tunnel group going to each IP address.
traffic match. You can specify any of the preceding commands,
except for the match any, match access-list, or match
default-inspection-traffic commands. Or you can also enter the
match flow ip destination-address command to match flows in
the tunnel group going to each IP address.
Command
Purpose