Kings, You are right - it is often an overlooked concept. Basically it does not work the same as MPF. Just verify with "sh service-policy flow" :
"deny=true" for "domain=inspect X" means that inspection was disabled for protocol "X". Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Mar 22, 2012 at 8:29 AM, Kingsley Charles < [email protected]> wrote: > Hi all > > In ASA, once if we deny the flow for inspection, it never gets inspected > back in other policies. In the below configuration, http traffic to > 10.20.30.40 is not inspected by the class inspection_default. > > Any comments? > > > *HTTP traffic to 10.20.30.40 not inspect under class inspection_default* > > access-list web extended deny tcp any host 10.20.30.40 eq www > access-list web extended permit tcp any any eq www > > class-map web > match access-list web > > policy-map global_policy > class web > inspect http > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > inspect rtsp > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > inspect http > > ** > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
