1-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Identifying Traffic (Layer 3/4 Class Maps)
match access-list access_list_name
Example:
hostname(config-cmap)# match access-list
udp
Matches traffic specified by an extended ACL. If the ASA is
operating in transparent firewall mode, you can use an EtherType
ACL.
match port {tcp | udp} {eq port_num |
range port_num port_num}
Example:
hostname(config-cmap)# match tcp eq 80
Matches TCP or UDP destination ports, either a single port or a
contiguous range of ports.
Tip For applications that use multiple, non-contiguous ports,
use the match access-list command and define an ACE to
match each port.
match default-inspection-traffic
Example:
hostname(config-cmap)# match
default-inspection-traffic
Matches default traffic for inspection: the default TCP and UDP
ports used by all applications that the ASA can inspect.
This command, which is used in the default global policy, is a
special CLI shortcut that when used in a policy map, ensures that
the correct inspection is applied to each packet, based on the
destination port of the traffic. For example, when UDP traffic for
port 69 reaches the ASA, then the ASA applies the TFTP
inspection; when TCP traffic for port 21 arrives, then the ASA
applies the FTP inspection. So in this case only, you can configure
multiple inspections for the same class map (with the exception of
WAAS inspection, which can be configured with other
inspections. See the “Incompatibility of Certain Feature Actions”
section on page 1-5 for more information about combining
actions). Normally, the ASA does not use the port number to
determine the inspection applied, thus giving you the flexibility to
apply inspections to non-standard ports, for example.
See the “Default Settings and NAT Limitations” section on
page 9-4 for a list of default ports. Not all applications whose
ports are included in the match default-inspection-traffic
command are enabled by default in the policy map.
You can specify a match access-list command along with the
match default-inspection-traffic command to narrow the
matched traffic. Because the match default-inspection-traffic
command specifies the ports and protocols to match, any ports and
protocols in the ACL are ignored.
Tip We suggest that you only inspect traffic on ports on which
you expect application traffic; if you inspect all traffic, for
example using match any, the ASA performance can be
impacted.
match dscp value1 [value2] [...] [value8]
Example:
hostname(config-cmap)# match dscp af43 cs1
ef
Matches DSCP value in an IP header, up to eight DSCP values.
Command Purpose