Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5500 Checking for incomplete Service Policy

I am in the process of updating my device to 8.2(2) . In the release notes it mentions to make sure that you do not have the following incomplete lines:

- policy-map global_policy

- service-policy global_policy global

Below is a copy of my config. I just want to make sure that I am reading this correctly. I do not believe I have any incomplete service policies. I have made the lines in question bold. Thank you.

!
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map IPS_CLASS
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
parameters
class BlockDomainsClass
  reset log
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 2048
policy-map global_policy - line in question
class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect netbios
  inspect rsh
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect ftp
  inspect h323 ras
  inspect http http_inspection_policy
policy-map IPS_POLICY
class IPS_CLASS
  ips inline fail-open
!
service-policy global_policy global - line in question
service-policy IPS_POLICY interface outside
prompt hostname context
Cryptochecksum:9678c3xd399320688fyyu741823
: end
asa5500#
asa5500#

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA 5500 Checking for incomplete Service Policy

Hi,

You have the default global_policy applied globally with the service policy. (they are not incomplete).

You can modify these policy, or create new policies and apply them globally to the service policy or to specific interfaces.

You can check more information about the inspection on the ASA here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

Federico.

1 REPLY

Re: ASA 5500 Checking for incomplete Service Policy

Hi,

You have the default global_policy applied globally with the service policy. (they are not incomplete).

You can modify these policy, or create new policies and apply them globally to the service policy or to specific interfaces.

You can check more information about the inspection on the ASA here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

Federico.

648
Views
0
Helpful
1
Replies