Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Interface/global Service policy

Hi All...

My ASA have a default Global Service policy where it does Inspection.

And i wish to know is that if i apply an Interface Service policy which does MSS Exceed Allow for only HTTP/HTTPS/SMTP.

Is the ASA still doing the default Inspection as it's stated that it will override the default policy?

Rgds

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ASA Interface/global Service policy

Yes, that should work.

Alternatively, you might want to turn it on for the whole box:

tcp-map mss-map

exceed-mss allow

class-map match-any

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect

service-policy global_policy global

Feel free to ping me @ work on sametime if you have more questions.

--Jason

3 REPLIES
Silver

Re: ASA Interface/global Service policy

The default policy will still take affect. The interface policy will also be used. If there is a conflict between the two policies, then the more specific Interface policy wins.

Sincerely,

David.

PS> If this answers your questions, please don't forget to check the box so we can cross this off our list.

New Member

Re: ASA Interface/global Service policy

Hi David..

Just a quick check, so does it still do HTTP/HTTPS/ESMTP inspection?

A rough config as follows. I have 2 Policy list for HTTP, 1 to allow MSS exceed and 1 for HTTP inspection.

access-list MSS extended permit tcp any any eq www

!

tcp-map TCPMSS

exceed-mss allow

class-map inspection_default

match default-inspection-traffic

class-map MSS-MAP

match access-list MSS

!

!

policy-map global_policy

class inspection_default

inspect http

policy-map SPHMSS-MAP

class SPHMSS-MAP

set connection advanced-options TCPMSS

!

service-policy global_policy global

service-policy MSS-MAP interface outside

Tks & Rgds

Bronze

Re: ASA Interface/global Service policy

Yes, that should work.

Alternatively, you might want to turn it on for the whole box:

tcp-map mss-map

exceed-mss allow

class-map match-any

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class match-any

set connection advanced-options mss-map

class inspection_default

inspect ftp

inspect icmp

inspect whateveryouwanttoinspect

service-policy global_policy global

Feel free to ping me @ work on sametime if you have more questions.

--Jason

1584
Views
0
Helpful
3
Replies