Cisco Systems and the ASA Services Module Network Router User Manual


 
1-19
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1 Configuring a Service Policy Using the Modular Policy Framework
Configuration Examples for Modular Policy Framework
Applying Inspection and QoS Policing to HTTP Traffic
In this example (see Figure 1-1), any HTTP connection (TCP traffic on port 80) that enters or exits the
ASA through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the
outside interface is classified for policing.
Figure 1-1 HTTP Inspection and QoS Policing
See the following commands for this example:
ciscoasa(config)# class-map http_traffic
ciscoasa(config-cmap)# match port tcp eq 80
ciscoasa(config)# policy-map http_traffic_policy
ciscoasa(config-pmap)# class http_traffic
ciscoasa(config-pmap-c)# inspect http
ciscoasa(config-pmap-c)# police output 250000
ciscoasa(config)# service-policy http_traffic_policy interface outside
Applying Inspection to HTTP Traffic Globally
In this example (see Figure 1-2), any HTTP connection (TCP traffic on port 80) that enters the ASA
through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection
occurs only as the traffic enters each interface.
Figure 1-2 Global HTTP Inspection
See the following commands for this example:
ciscoasa(config)# class-map http_traffic
ciscoasa(config-cmap)# match port tcp eq 80
143356
inside
port 80
outside
A
Host A
Host B
port 80
Security
appliance
insp.
insp.
police
inside
port 80
outside
A
Host A
Host B
port 80
insp.
insp.
Security
appliance
143414