04-05-2007 03:41 AM - edited 03-11-2019 02:56 AM
Hi All...
My ASA have a default Global Service policy where it does Inspection.
And i wish to know is that if i apply an Interface Service policy which does MSS Exceed Allow for only HTTP/HTTPS/SMTP.
Is the ASA still doing the default Inspection as it's stated that it will override the default policy?
Rgds
Solved! Go to Solution.
04-05-2007 07:57 AM
Yes, that should work.
Alternatively, you might want to turn it on for the whole box:
tcp-map mss-map
exceed-mss allow
class-map match-any
match any
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class match-any
set connection advanced-options mss-map
class inspection_default
inspect ftp
inspect icmp
inspect whateveryouwanttoinspect
service-policy global_policy global
Feel free to ping me @ work on sametime if you have more questions.
--Jason
04-05-2007 07:29 AM
The default policy will still take affect. The interface policy will also be used. If there is a conflict between the two policies, then the more specific Interface policy wins.
Sincerely,
David.
PS> If this answers your questions, please don't forget to check the box so we can cross this off our list.
04-05-2007 07:39 AM
Hi David..
Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?
A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.
access-list MSS extended permit tcp any any eq www
!
tcp-map TCPMSS
exceed-mss allow
class-map inspection_default
match default-inspection-traffic
class-map MSS-MAP
match access-list MSS
!
!
policy-map global_policy
class inspection_default
inspect http
policy-map SPHMSS-MAP
class SPHMSS-MAP
set connection advanced-options TCPMSS
!
service-policy global_policy global
service-policy MSS-MAP interface outside
Tks & Rgds
04-05-2007 07:57 AM
Yes, that should work.
Alternatively, you might want to turn it on for the whole box:
tcp-map mss-map
exceed-mss allow
class-map match-any
match any
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class match-any
set connection advanced-options mss-map
class inspection_default
inspect ftp
inspect icmp
inspect whateveryouwanttoinspect
service-policy global_policy global
Feel free to ping me @ work on sametime if you have more questions.
--Jason
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: