Re: [OSL | CCIE_Security] Application not inspected once deniede

Thu, 22 Mar 2012 11:34:02 -0700 

Thanks Piotr.

I get the following O/P which seems to matching by inspection_default.

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Match: default-inspection-traffic
      Action:
        Input flow:  inspect http
    Class-map: class-default
      Match: any
      Action:
            Output flow:



With regards
Kings

On Thu, Mar 22, 2012 at 10:17 PM, Piotr Kaluzny <[email protected]> wrote:

> Kings,
>
> You are right - it is often an overlooked concept. Basically it does not
> work the same as MPF. Just verify with "sh service-policy flow" :
>
> "deny=true" for "domain=inspect X" means that inspection was disabled for
> protocol "X".
>
> Regards,
> --
> Piotr Kaluzny
> CCIE #25665 (Security), CCSP, CCNP
> Sr. Support Engineer - IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> On Thu, Mar 22, 2012 at 8:29 AM, Kingsley Charles <
> [email protected]> wrote:
>
>> Hi all
>>
>> In ASA, once if we deny the flow for inspection, it never gets inspected
>> back in other policies. In the below configuration, http traffic to
>> 10.20.30.40 is not inspected by the  class inspection_default.
>>
>> Any comments?
>>
>>
>> *HTTP traffic to 10.20.30.40 not inspect under  class inspection_default*
>>
>> access-list web extended deny tcp any host 10.20.30.40 eq www
>> access-list web extended permit tcp any any eq www
>>
>> class-map web
>>  match access-list web
>>
>> policy-map global_policy
>>  class web
>>   inspect http
>>  class inspection_default
>>   inspect dns preset_dns_map
>>   inspect ftp
>>   inspect h323 h225
>>   inspect h323 ras
>>   inspect netbios
>>   inspect rsh
>>   inspect rtsp
>>   inspect skinny
>>   inspect esmtp
>>   inspect sqlnet
>>   inspect sunrpc
>>   inspect tftp
>>   inspect sip
>>   inspect xdmcp
>>   inspect http
>>
>> **
>>
>> With regards
>> Kings
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to