ASA5510+SSM meaning of configuration line.

Unanswered Question
Sep 30th, 2008
User Badges:

Please tech me the following config line.


"service-policy global_policy global"


Is this configuration necessity?

If I delete the configuration line, I have any troubles about FireWall Technology???




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
robertson.michael Tue, 09/30/2008 - 06:13
User Badges:
  • Silver, 250 points or more

Hi Shigenori,


This line applies your global_policy policy-map to all active interfaces on your ASA. So, any traffic that comes in on any interface will be subject to the inspection rules defined by your global_policy (assuming it matches a class-map).


Without seeing the rest of your configuration, it is impossible to say how removing this line will affect your firewall. Take a look at the output of 'show run' (or 'show run | b class-map) and 'show service-policy' to see the inspection rules that are applied to this policy.


Hope that helps.


-Mike

s-ito65535 Tue, 09/30/2008 - 07:53
User Badges:

Hi Mike,


Thank you for your technical advice about global policy.

current configuation is following.

class-map line is default configuration.


ASA Version 8.0(3)

!

hostname asa5510sample

domain-name sample-sm.jp

enable password

names

!

interface Ethernet0/0

nameif outside

security-level 100

pppoe client vpdn group GPPPOE

ip address 121.186.XXX.XXX 255.255.255.255 pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.XXX.XXX 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.XXX.XXX 255.255.255.0

!

passwd

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone JST 9

dns domain-lookup outside

dns server-group DefaultDNS

name-server 121.113.XXX.XXX

domain-name sample-sm.jp

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in_1 extended permit ip any any

access-list http-list2 extended permit tcp any any

!

tcp-map mss-map

exceed-mss allow

!

pager lines 24

logging enable

logging asdm informational

mtu outside 1454

mtu inside 1454

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-613.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.16.100.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

nat (management) 1 172.16.100.0 255.255.255.0

access-group inside_access_in_1 in interface inside

route inside 10.0.0.0 255.255.255.0 192.168.0.252 1

route management 172.16.100.2 255.255.255.255 172.16.100.1 2

route inside 192.168.1.0 255.255.255.0 192.168.0.252 1

route inside 192.168.2.0 255.255.255.0 192.168.0.252 1

route inside 192.168.3.0 255.255.255.0 192.168.0.252 1

route inside 192.168.20.0 255.255.255.0 192.168.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.100.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 172.16.100.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group GPPPOE request dialout pppoe

vpdn group GPPPOE localname XXXXsample

@XXXXXX.XXX.ne.jp

vpdn group GPPPOE ppp authentication chap

vpdn username [email protected] password *********

threat-detection basic-threat

threat-detection statistics access-list

username asapri password privilege 15

!

class-map global-class

match any

!

!

policy-map global-policy

class global-class

csc fail-open

!

service-policy global-policy global

prompt hostname context

Cryptochecksum:XXXXXXXXXXeba14c1bd38444ae90113925

: end


I'm waiting for your more advice.


Thanks.


Marwan ALshawi Tue, 09/30/2008 - 08:03
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

from the above config it sounds u have CSC-SSM module

the class-map global-class


match any traffic

and the send it to the CSC for inspection


and it is applied on the globla thats mean the traffic wil be send to the csc for inspection when flow from allinterfaces


csc fail-open mean that if the csc fail the ASA will continue pass traffic wihthout inspection from csc


fo rbetter performance u need to send more spesific traffic rathar than all

have a look at the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml


good luck

if helpful Rate

s-ito65535 Tue, 09/30/2008 - 08:21
User Badges:

Thank you for your technical advices.


In fact, if I delete "service-policy global_policy global" line, FireWall can not send to the traffic for csc inspection ???


Please your advices!


Thanks.

Marwan ALshawi Tue, 09/30/2008 - 08:25
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ofcourse

this policy seted up to send traffic to CSC-SSM


and for more details see the link i posted to u includ evrything u need regarding ASA with CSC


if helpful Rate

Marwan ALshawi Tue, 09/30/2008 - 06:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ok

this policy is related to what is know apllication inspection

in older pix it was like fixup command

this inspection make the firewall work with those protocols staefully

forexample

with ftp the ports 20 and 21 only for negotiation between the client and server after that they negociate a port for the transfere

if u disable the ftp inspection the firewall wil block that negociated port number which is randamly unless u open hug number of port and in the case will not be a secure firewall

the same with voip protocols liek

h323, sccp

with http u can inspect the http header make inspection policies

the global mean this policy will work on all interfaces

if u make a ploicy in a speicific interface it will take prefrence to the global one


i would suggest u never disable this policy becuase u will get unexpected error and problems


good luck

if helpful Rate

Actions

This Discussion