ASA Interface/global Service policy

Answered Question

Hi All...

My ASA have a default Global Service policy where it does Inspection.

And i wish to know is that if i apply an Interface Service policy which does MSS Exceed Allow for only HTTP/HTTPS/SMTP.

Is the ASA still doing the default Inspection as it's stated that it will override the default policy?

Rgds

I have this problem too.
0 votes
Correct Answer by jgervia_2 about 9 years 8 months ago

Yes, that should work.

Alternatively, you might want to turn it on for the whole box:

tcp-map mss-map

exceed-mss allow

class-map match-any

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect

service-policy global_policy global

Feel free to ping me @ work on sametime if you have more questions.

--Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
David White Thu, 04/05/2007 - 07:29

The default policy will still take affect. The interface policy will also be used. If there is a conflict between the two policies, then the more specific Interface policy wins.

Sincerely,

David.

PS> If this answers your questions, please don't forget to check the box so we can cross this off our list.

Hi David..

Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?

A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.

access-list MSS extended permit tcp any any eq www

!

tcp-map TCPMSS

exceed-mss allow

class-map inspection_default

match default-inspection-traffic

class-map MSS-MAP

match access-list MSS

!

!

policy-map global_policy

class inspection_default

inspect http

policy-map SPHMSS-MAP

class SPHMSS-MAP

set connection advanced-options TCPMSS

!

service-policy global_policy global

service-policy MSS-MAP interface outside

Tks & Rgds

Correct Answer
jgervia_2 Thu, 04/05/2007 - 07:57

Yes, that should work.

Alternatively, you might want to turn it on for the whole box:

tcp-map mss-map

exceed-mss allow

class-map match-any

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect

service-policy global_policy global

Feel free to ping me @ work on sametime if you have more questions.

--Jason

Actions

This Discussion