Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
6
Replies

ASA5510+SSM meaning of configuration line.

s-ito65535
Level 1
Level 1

‎09-30-2008 05:40 AM - edited ‎03-11-2019 06:51 AM

Please tech me the following config line.

"service-policy global_policy global"

Is this configuration necessity?

If I delete the configuration line, I have any troubles about FireWall Technology???

Labels:
0 Helpful
6 Replies 6

robertson.michael
Level 3
Level 3

‎09-30-2008 06:13 AM

Hi Shigenori,

This line applies your global_policy policy-map to all active interfaces on your ASA. So, any traffic that comes in on any interface will be subject to the inspection rules defined by your global_policy (assuming it matches a class-map).

Without seeing the rest of your configuration, it is impossible to say how removing this line will affect your firewall. Take a look at the output of 'show run' (or 'show run | b class-map) and 'show service-policy' to see the inspection rules that are applied to this policy.

Hope that helps.

-Mike

0 Helpful

s-ito65535
Level 1
Level 1
In response to robertson.michael

‎09-30-2008 07:53 AM

Hi Mike,

Thank you for your technical advice about global policy.

current configuation is following.

class-map line is default configuration.

ASA Version 8.0(3)

!

hostname asa5510sample

domain-name sample-sm.jp

enable password

names

!

interface Ethernet0/0

nameif outside

security-level 100

pppoe client vpdn group GPPPOE

ip address 121.186.XXX.XXX 255.255.255.255 pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.XXX.XXX 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 172.16.XXX.XXX 255.255.255.0

!

passwd

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone JST 9

dns domain-lookup outside

dns server-group DefaultDNS

name-server 121.113.XXX.XXX

domain-name sample-sm.jp

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in_1 extended permit ip any any

access-list http-list2 extended permit tcp any any

!

tcp-map mss-map

exceed-mss allow

!

pager lines 24

logging enable

logging asdm informational

mtu outside 1454

mtu inside 1454

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-613.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.16.100.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.20.0 255.255.255.0

nat (management) 1 172.16.100.0 255.255.255.0

access-group inside_access_in_1 in interface inside

route inside 10.0.0.0 255.255.255.0 192.168.0.252 1

route management 172.16.100.2 255.255.255.255 172.16.100.1 2

route inside 192.168.1.0 255.255.255.0 192.168.0.252 1

route inside 192.168.2.0 255.255.255.0 192.168.0.252 1

route inside 192.168.3.0 255.255.255.0 192.168.0.252 1

route inside 192.168.20.0 255.255.255.0 192.168.0.252 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.16.100.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 172.16.100.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group GPPPOE request dialout pppoe

vpdn group GPPPOE localname XXXXsample

@XXXXXX.XXX.ne.jp

vpdn group GPPPOE ppp authentication chap

vpdn username XXXXsample@XXXXXX.XXX.ne.jp password *********

threat-detection basic-threat

threat-detection statistics access-list

username asapri password privilege 15

!

class-map global-class

match any

!

!

policy-map global-policy

class global-class

csc fail-open

!

service-policy global-policy global

prompt hostname context

Cryptochecksum:XXXXXXXXXXeba14c1bd38444ae90113925

: end

I'm waiting for your more advice.

Thanks.

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to s-ito65535

‎09-30-2008 08:03 AM

from the above config it sounds u have CSC-SSM module

the class-map global-class

match any traffic

and the send it to the CSC for inspection

and it is applied on the globla thats mean the traffic wil be send to the csc for inspection when flow from allinterfaces

csc fail-open mean that if the csc fail the ASA will continue pass traffic wihthout inspection from csc

fo rbetter performance u need to send more spesific traffic rathar than all

have a look at the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml

good luck

if helpful Rate

0 Helpful

s-ito65535
Level 1
Level 1
In response to Marwan ALshawi

‎09-30-2008 08:21 AM

Thank you for your technical advices.

In fact, if I delete "service-policy global_policy global" line, FireWall can not send to the traffic for csc inspection ???

Please your advices!

Thanks.

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to s-ito65535

‎09-30-2008 08:25 AM

ofcourse

this policy seted up to send traffic to CSC-SSM

and for more details see the link i posted to u includ evrything u need regarding ASA with CSC

if helpful Rate

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-30-2008 06:16 AM

ok

this policy is related to what is know apllication inspection

in older pix it was like fixup command

this inspection make the firewall work with those protocols staefully

forexample

with ftp the ports 20 and 21 only for negotiation between the client and server after that they negociate a port for the transfere

if u disable the ftp inspection the firewall wil block that negociated port number which is randamly unless u open hug number of port and in the case will not be a secure firewall

the same with voip protocols liek

h323, sccp

with http u can inspect the http header make inspection policies

the global mean this policy will work on all interfaces

if u make a ploicy in a speicific interface it will take prefrence to the global one

i would suggest u never disable this policy becuase u will get unexpected error and problems

good luck

if helpful Rate

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card