The denied http traffic should have been inspected by the next default class map which is not happening.
With regards Kings On Thu, Mar 22, 2012 at 1:52 PM, Eugene Pefti <[email protected]>wrote: > I fear I didn't understand your question, Kings. > Isn't what you are doing with placing the custom web class-map in front of > the default inspection class map to have the ASA inspection match first on > the traffic to 10.20.30.40. > Or your point why HTTP is not inspected in the first place if we use > "deny" ACE? I believe we "permit" in the ACE to define the traffic that > will be matched and "deny" to exclude it from matching > > Eugene > > From: Kingsley Charles <[email protected]> > Date: Thu, 22 Mar 2012 12:59:24 +0530 > To: <[email protected]> > Subject: [OSL | CCIE_Security] Application not inspected once deniede > > Hi all > > In ASA, once if we deny the flow for inspection, it never gets inspected > back in other policies. In the below configuration, http traffic to > 10.20.30.40 is not inspected by the class inspection_default. > > Any comments? > > > *HTTP traffic to 10.20.30.40 not inspect under class inspection_default* > > access-list web extended deny tcp any host 10.20.30.40 eq www > access-list web extended permit tcp any any eq www > > class-map web > match access-list web > > policy-map global_policy > class web > inspect http > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > inspect rtsp > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > inspect http > > ** > > With regards > Kings > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
