Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
36-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 36 Configuring a Service Policy
Default Settings
Default Configuration, page 36-7
Default Traffic Classes, page 36-7
Default Configuration
By default, the configuration includes a policy that matches all default application inspection traffic and
applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled
by default. You can only apply one global policy, so if you want to alter the global policy, you need to
either edit the default policy or disable it and apply a new one. (An interface policy overrides the global
policy for a particular feature.)
The default policy includes the following application inspections:
DNS inspection for the maximum message length of 512 bytes
FTP
H323 (H225)
H323 (RAS)
RSH
RTSP
ESMTP
SQLnet
Skinny (SCCP)
SunRPC
XDMCP
SIP
NetBios
TFTP
IP Options
Default Traffic Classes
The configuration includes a default traffic class that the ASA uses in the default global policy called
Default Inspection Traffic; it matches the default inspection traffic. This class, which is used in the
default global policy, is a special shortcut to match the default ports for all inspections. When used in a
policy, this class ensures that the correct inspection is applied to each packet, based on the destination
port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the
TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in
this case only, you can configure multiple inspections for the same class map. Normally, the ASA does
not use the port number to determine which inspection to apply, thus giving you the flexibility to apply
inspections to non-standard ports, for example.