Bingo Did a quick investigation. Here are the results:
When apply class to global policy MPF matches the untranslated source address when traffic moves from inside to outside MPF matches the translated destination address when traffic moves from outside to inside When apply class to outside interface MPF matches the translated source address when traffic moves from inside to outside MPF matches the translated destination address when traffic moves from outside to inside There is the difference. *Illustration* 10.20.30.40 PC --------------- inside ASA outside --------------------- http server 4.4.4.4 static (inside,outside) 4.4.4.3 10.20.30.40 If you want match http traffic from PC to server, then *Class map to global policy* access-list httptraff permit tcp host 10.20.30.40 any eq 80 class http match access-list httptraff policy-map global_policy class http inspect http *Class map to outside interface* access-list httptraff permit tcp host 4.4.4.3 any eq 80 class http match access-list httptraff policy-map http class http inspect http service-policy http interface outside With reagrds Kings On Fri, Jan 22, 2010 at 6:41 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > MPF can be applied to taffic through global policy, inside or outside > interface. > > *Query 1 - MPF to global policy* > > > When we apply MPF to glopal policy, ASA matches the traffic at the incoming > traffic at ingress of each interface. > > > > ----------- match > ----------inside ASA outside -------------------- > < match------- > > > > > > > At the outside interface, will the ASA match the destination address of the > translated address or the unstranslated address? > > > > static (inside,outside) 6.6.6.6 10.20.30.40 > > If a trafffic is coming inside with the a destination of 6.6.6.6. Will MPF > match 6.6.6.6 or 10.20.30.40? > > > > *Query 2 - MPF at the outside interface* > > > When we apply MPF to the outside interface, the ASA matches the traffic on > the outside interface in both the directions. > > > ------------inside ASA outside ------------<> match------- > > > When traffic is moving from inside to outside, then will the MPF see the > translated or un-translated source address? > When traffic is moving from outside to inside, then will the MPF see the > translated or un-translated destination address? > > > *Reason for this query* > > When we want to match a flow, example HTTP, then we need to define a class > map. The class match can either match using the "match port" or "match > access-list". If we use the "access-list" option, > I am wondering which IP address should be used on the ACL. > > > > > > With regards > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
