Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CISCO ASA Service Policy

Hi, 

I have a couple of questions regarding the service policy of CISCO ASA

1) when inspect http is disabled in default policy we cant RDP to the desktops connected to the ASA , also when inspect icmp is disabled i cant ping through the ASA but when its enabled icmp works. How does this happen >? how does these inspections work ?

2) if i have a ASA with IPS modules , then if i create a service policy where IPS is enabled and then a global policy then can these two coexist ? or traffic will always consider the global policy ?

 

 

Thanks

Everyone's tags (1)
1 REPLY
Cisco Employee

 Hello; 1) The HTTP

 

Hello;

 

1) The HTTP inspection is unrelated to the RDP issue. If you are running 8.4.7, I tend to believe you are hitting a bug. It works when you disable the ICMP, not the HTTP.

ICMP is not what we call stateful, you can really measure that all messages will have a reply. In order to allow it, without the inspection, you will need to put an ACL. That is by default.

 

2) No, if you create a new one, it will overwrite the existing one. What you can do is to add the IPS in the already created MPF or create a new service policy and put it on the interface you would like protection from.

 

Mike.

Mike
87
Views
5
Helpful
1
Replies