Applying a service policy

Unanswered Question
Apr 8th, 2008

On our ASA 5510, I've got the global default-inspection policy enabled and pretty much unchanged since installing the firewall.

However, I created a new interface policy that rate-limtis (police) inboud traffic to our internal proxy server. Just slowing down the internet traffic our users are creating.

The new interface policy I created is applied to the inside interface.

I'm just nervous that applying that new interface policy has made our firewall less secure beings it says "Interface policies overwrite the global_policy". If I still have the global default-inspection policy enabled, and this new interface policy only applied to the inside interface, I'm still ok inspection wise with outside traffic coming in aren't I?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
superalan Fri, 04/11/2008 - 11:57

Hi Snooter,

I have very much the same cfg. Yes, interface specific policy overwrites the global, but in our case it works only for [Inside]. Global policy keeps spanning [Outside] as long as no interface specific policy applied to it (which is true in my case).

Anyway, you might check the status with "sh service-policy" command, to ensure your ASA keeps inspecting.

The default inspection policy-map doesn't really add much to your security policy as its only concerned with opening dynamic ports through the firewall and handling embedded IP addresses which need to be translated (e.g. NetBIOS).

The only adverse effect could be certain protocols will no longer work between interfaces. Although generally inside traffic (security level 100) is permitted anyway so you should be fine.

Regarding your policing config, you might want to rate-limit in the input direction on the outside interface or the output direction on the interface facing either the proxy server or internal users. The idea is to limit the return traffic as this is what actually consumes the most bandwidth when people are browsing the web.


This Discussion