ASA Interface/global Service policy

Answered Question

Hi All...


My ASA have a default Global Service policy where it does Inspection.

And i wish to know is that if i apply an Interface Service policy which does MSS Exceed Allow for only HTTP/HTTPS/SMTP.

Is the ASA still doing the default Inspection as it's stated that it will override the default policy?


Rgds

Correct Answer by jgervia_2 about 10 years 2 months ago

Yes, that should work.


Alternatively, you might want to turn it on for the whole box:


tcp-map mss-map

exceed-mss allow


class-map match-any

match any


class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect


service-policy global_policy global


Feel free to ping me @ work on sametime if you have more questions.


--Jason



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
David White Thu, 04/05/2007 - 07:29
User Badges:
  • Cisco Employee,

The default policy will still take affect. The interface policy will also be used. If there is a conflict between the two policies, then the more specific Interface policy wins.


Sincerely,


David.


PS> If this answers your questions, please don't forget to check the box so we can cross this off our list.

Hi David..


Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?

A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.


access-list MSS extended permit tcp any any eq www

!

tcp-map TCPMSS

exceed-mss allow


class-map inspection_default

match default-inspection-traffic

class-map MSS-MAP

match access-list MSS

!

!

policy-map global_policy

class inspection_default

inspect http


policy-map SPHMSS-MAP

class SPHMSS-MAP

set connection advanced-options TCPMSS

!

service-policy global_policy global

service-policy MSS-MAP interface outside


Tks & Rgds




Correct Answer
jgervia_2 Thu, 04/05/2007 - 07:57
User Badges:
  • Bronze, 100 points or more

Yes, that should work.


Alternatively, you might want to turn it on for the whole box:


tcp-map mss-map

exceed-mss allow


class-map match-any

match any


class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect


service-policy global_policy global


Feel free to ping me @ work on sametime if you have more questions.


--Jason



Actions

This Discussion