ASA 5500 Checking for incomplete Service Policy

Answered Question
Apr 19th, 2010
User Badges:

I am in the process of updating my device to 8.2(2) . In the release notes it mentions to make sure that you do not have the following incomplete lines:

- policy-map global_policy

- service-policy global_policy global


Below is a copy of my config. I just want to make sure that I am reading this correctly. I do not believe I have any incomplete service policies. I have made the lines in question bold. Thank you.


!
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map IPS_CLASS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
parameters
class BlockDomainsClass
  reset log
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 2048
policy-map global_policy - line in question
class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect netbios
  inspect rsh
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect ftp
  inspect h323 ras
  inspect http http_inspection_policy
policy-map IPS_POLICY
class IPS_CLASS
  ips inline fail-open
!
service-policy global_policy global - line in question
service-policy IPS_POLICY interface outside
prompt hostname context
Cryptochecksum:9678c3xd399320688fyyu741823
: end
asa5500#
asa5500#

Correct Answer by Federico Coto F... about 7 years 1 month ago

Hi,


You have the default global_policy applied globally with the service policy. (they are not incomplete).


You can modify these policy, or create new policies and apply them globally to the service policy or to specific interfaces.


You can check more information about the inspection on the ASA here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Mon, 04/19/2010 - 11:58
User Badges:
  • Green, 3000 points or more

Hi,


You have the default global_policy applied globally with the service policy. (they are not incomplete).


You can modify these policy, or create new policies and apply them globally to the service policy or to specific interfaces.


You can check more information about the inspection on the ASA here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html


Federico.

Actions

This Discussion