Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
36-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 36 Configuring a Service Policy
Information About Service Policies
Note When you use a global policy, all features are unidirectional; features that are normally bidirectional
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See
Table 36-2 for the directionality of each feature.
Feature Matching Within a Service Policy
See the following information for how a packet matches rules in a policy for a given interface:
1. A packet can match only one rule for an interface for each feature type.
2. When the packet matches a rule for a feature type, the ASA does not attempt to match it to any
subsequent rules for that feature type.
3. If the packet matches a subsequent rule for a different feature type, however, then the ASA also
applies the actions for the subsequent rule, if supported. See the “Incompatibility of Certain Feature
Actions” section on page 36-5 for more information about unsupported combinations.
Note Application inspection includes multiple inspection types, and most are mutually exclusive.
For inspections that can be combined, each inspection is considered to be a separate feature.
For example, if a packet matches a rulefor connection limits, and also matches a rule for an application
inspection, then both actions are applied.
Table 36-2 Feature Directionality
Feature Single Interface Direction Global Direction
Application inspection (multiple types) Bidirectional Ingress
ASA CSC Bidirectional Ingress
ASA CX Bidirectional Ingress
ASA CX authentication proxy Ingress Ingress
ASA IPS Bidirectional Ingress
NetFlow Secure Event Logging filtering N/A Ingress
QoS input policing Ingress Ingress
QoS output policing Egress Egress
QoS standard priority queue Egress Egress
QoS traffic shaping, hierarchical priority
queue
Egress Egress
TCP and UDP connection limits and timeouts,
and TCP sequence number randomization
Bidirectional Ingress
TCP normalization Bidirectional Ingress
TCP state bypass Bidirectional Ingress