The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
For the FTP traffic to work properly, with the regular inspection of FTP it would do it, however, if you want to block specific information inside the FTP packets such as different types of method (PUT,GET) usernames, specific files etc, you will be needing to use Layer 7.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...