Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
7
Helpful
5
Replies

Firewall service-policy

tech_trac
Level 1
Level 1

‎07-02-2009 08:57 AM - edited ‎03-11-2019 08:50 AM

Hi,

I have applied interface service-policy with class-map included all traffic.

Yet when I do show access-list, I don't see any hit counts. Do hit-counts normally show against ACL attached to class-maps/policy-maps and service-policy

Thanks

Labels:
0 Helpful
5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

‎07-02-2009 09:09 AM

I just tried it in the ASA and it does show hit counts on the acl applied to the class map which calls for a specific inspection.

Issue this command.

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq

the output should say that it is going through certain inspections configuration.

Now if this is something new, for it to take effect you may have to issue a

clear local x.x.x.x

where x.x.x.x is the ip address of the host in question.

tech_trac
Level 1
Level 1
In response to Kureli Sankar

‎07-02-2009 09:17 AM

When I enter the second inspect command under policy/class-map its says, ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

Why is that ?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to tech_trac

‎07-02-2009 10:25 AM

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

5505# conf t

5505(config)# policy-map global_policy

5505(config-pmap-c)# class http

5505(config-pmap-c)# ins http

5505(config-pmap-c)# ins ftp

ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

I believe this is the error that you are referring to.

You cannot add two (multiple) inspections under one class unless the class is inspection_default

Pls. see the policy-map that I pasted above.

tech_trac
Level 1
Level 1
In response to Kureli Sankar

‎07-02-2009 02:04 PM

When I do show service-policy flow etc I see a high number of packets against the policy which means that the packet is matched against the class-map (ACL). But when I do show access-list, I see no or very low hit count.

The hit count doesn't match the packets inspected on show service-policy flow display.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to tech_trac

‎07-03-2009 04:30 AM

You can remove the service policy and put it back after clearing the access-list coutners.

cler access-l counter

Then watch the show service-policy flow again.

What code is the ASA running?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card