Cisco Systems and the ASA Services Module Manual De Usuario
1-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Defining Actions (Layer 3/4 Policy Map)
Detailed Steps
Defining Actions (Layer 3/4 Policy Map)
This section describes how to associate actions with Layer 3/4 class maps by creating a Layer 3/4 policy
map.
map.
Restrictions
The maximum number of policy maps is 64, but you can only apply one policy map per interface.
Command
Purpose
Step 1
class-map type management
class_map_name
Example:
ciscoasa(config)# class-map type
management all_mgmt
Creates a management class map, where class_map_name is a
string up to 40 characters in length. The name “class-default” is
reserved. All types of class maps use the same name space, so you
cannot reuse a name already used by another type of class map.
The CLI enters class-map configuration mode.
string up to 40 characters in length. The name “class-default” is
reserved. All types of class maps use the same name space, so you
cannot reuse a name already used by another type of class map.
The CLI enters class-map configuration mode.
Step 2
(Optional)
description
string
Example:
hostname(config-cmap)# description All
management traffic
Adds a description to the class map.
Step 3
Match traffic using one of the following:
Unless otherwise specified, you can include only one match
command in the class map.
command in the class map.
match
access-list access_list_name
Example:
hostname(config-cmap)# match access-list
udp
Matches traffic specified by an extended ACL. If the ASA is
operating in transparent firewall mode, you can use an EtherType
ACL.
operating in transparent firewall mode, you can use an EtherType
ACL.
match
port {tcp | udp} {eq port_num |
range
port_num port_num}
Example:
hostname(config-cmap)# match tcp eq 80
Matches TCP or UDP destination ports, either a single port or a
contiguous range of ports.
contiguous range of ports.
Tip
For applications that use multiple, non-contiguous ports,
use the match access-list command and define an ACE to
match each port.
use the match access-list command and define an ACE to
match each port.