Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall service-policy

Hi,

I have applied interface service-policy with class-map included all traffic.

Yet when I do show access-list, I don't see any hit counts. Do hit-counts normally show against ACL attached to class-maps/policy-maps and service-policy

Thanks

5 REPLIES
Cisco Employee

Re: Firewall service-policy

I just tried it in the ASA and it does show hit counts on the acl applied to the class map which calls for a specific inspection.

Issue this command.

sh service-policy flow tcp host x.x.x.x host y.y.y.y eq

the output should say that it is going through certain inspections configuration.

Now if this is something new, for it to take effect you may have to issue a

clear local x.x.x.x

where x.x.x.x is the ip address of the host in question.

New Member

Re: Firewall service-policy

When I enter the second inspect command under policy/class-map its says, ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

Why is that ?

Cisco Employee

Re: Firewall service-policy

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

5505# conf t

5505(config)# policy-map global_policy

5505(config-pmap-c)# class http

5505(config-pmap-c)# ins http

5505(config-pmap-c)# ins ftp

ERROR: Multiple inspect commands can't be configured for a class without 'match default-inspection-traffic|none' in it.

I believe this is the error that you are referring to.

You cannot add two (multiple) inspections under one class unless the class is inspection_default

Pls. see the policy-map that I pasted above.

New Member

Re: Firewall service-policy

When I do show service-policy flow etc I see a high number of packets against the policy which means that the packet is matched against the class-map (ACL). But when I do show access-list, I see no or very low hit count.

The hit count doesn't match the packets inspected on show service-policy flow display.

Cisco Employee

Re: Firewall service-policy

You can remove the service policy and put it back after clearing the access-list coutners.

cler access-l counter

Then watch the show service-policy flow again.

What code is the ASA running?

162
Views
7
Helpful
5
Replies
CreatePlease to create content