Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX v7 application inspection, class-maps, and ACL's

What's the relationship between inbound interface acl's and application inspection?

Do the acl's get processed before the class-map statement creates the traffic class for the inspect command?

New Member

Re: PIX v7 application inspection, class-maps, and ACL's

a) ACL's are processed before anything else, so that mean even before Class commands

b) Class commands coupled with service-policy command to do extended deep inspection

a) Use class-map to identify traffic

b) Use it in policy-map to apply inspection

c) apply to an interface to make it effective

New Member

Re: PIX v7 application inspection, class-maps, and ACL's

Thanks so much for your answer. It makes sense and is in line with some documentation I saw regarding routers and CBAC. I couldn't find anything explicit for the PIX, though.

There's just one more thing that, perhaps, you could confirm for me. I assume that you only have to permit the base protocol port, such as, 5060 for sip. Then the inspection engine dynamically adds the appropriate pinholes to the inbound acl to permit the media streams. Is that correct?