Filter
Top Products
22-8
Cisco ASDM User Guide
OL-16647-01
Chapter 22 Configuring Service Policy Rules
Adding a Service Policy Rule for Through Traffic
multiple ACEs to the same traffic class by repeating this entire procedure. See the “Managing the
Order of Service Policy Rules” section on page 22-13 for information about changing the order of
ACEs.
• Use an existing traffic class. If you created a traffic class used by a rule on a different interface,
you can reuse the traffic class definition for this rule. Note that if you alter the traffic class for one
rule, the change is inherited by all rules that use that traffic class. If your configuration includes any
class-map commands that you entered at the CLI, those traffic class names are also available
(although to view the definition of the traffic class, you need to create the rule).
• Use class default as the traffic class. This option uses the class-default class, which matches all
traffic. The class-default class is created automatically by the security appliance and placed at the
end of the policy. If you do not apply any actions to it, it is still created by the security appliance,
but for internal purposes only. You can apply actions to this class, if desired, which might be more
convenient than creating a new traffic class that matches all traffic. You can only create one rule for
this service policy using the class-default class, because each traffic class can only be associated
with a single rule per service policy.
Step 5 Click Next.
Step 6 The next dialog box depends on the traffic match criteria you chose.
Note The Any Traffic option does not have a special dialog box for additional configuration.
• Default Inspections—This dialog box is informational only, and shows the applications and the ports
that are included in the traffic class.
• Source and Destination Address—This dialog box lets you set the source and destination addresses:
a. Click Match or Do Not Match.
The Match option creates a rule where traffic matching the addresses have actions applied. The
Do Not Match option exempts the traffic from having the specified actions applied. For
example, you want to match all traffic in 10.1.1.0/24 and apply connection limits to it, except
for 10.1.1.25. In this case, create two rules, one for 10.1.1.0/24 using the Match option and one
for 10.1.1.25 using the Do Not Match option. Be sure to arrange the rules so that the Do Not
Match rule is above the Match rule, or else 10.1.1.25 will match the Match rule first.
b. In the Source field, enter the source IP address, or click the ... button to choose an IP address
that you already defined in ASDM.
Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you
enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0.
Enter any to specify any source address.
Separate multiple addresses by a comma.
c. In the Destination field, enter the destination IP address, or click the ... button to choose an IP
address that you already defined in ASDM.
Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you
enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0.
Enter any to specify any destination address.
Separate multiple addresses by a comma.
d. In the Service field, enter an IP service name or number for the destination service, or click the
... button to choose a service.