Kings, I might have mixed up the commands, cannot access the pod now - try packet-tracer for verification.
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Mar 22, 2012 at 7:11 PM, Kingsley Charles < [email protected]> wrote: > Thanks Piotr. > > I get the following O/P which seems to matching by inspection_default. > > Global policy: > Service-policy: global_policy > Class-map: inspection_default > Match: default-inspection-traffic > Action: > Input flow: inspect http > Class-map: class-default > Match: any > Action: > Output flow: > > > > With regards > Kings > > > On Thu, Mar 22, 2012 at 10:17 PM, Piotr Kaluzny <[email protected]>wrote: > >> Kings, >> >> You are right - it is often an overlooked concept. Basically it does not >> work the same as MPF. Just verify with "sh service-policy flow" : >> >> "deny=true" for "domain=inspect X" means that inspection was disabled for >> protocol "X". >> >> Regards, >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> >> On Thu, Mar 22, 2012 at 8:29 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> In ASA, once if we deny the flow for inspection, it never gets inspected >>> back in other policies. In the below configuration, http traffic to >>> 10.20.30.40 is not inspected by the class inspection_default. >>> >>> Any comments? >>> >>> >>> *HTTP traffic to 10.20.30.40 not inspect under class inspection_default >>> * >>> >>> access-list web extended deny tcp any host 10.20.30.40 eq www >>> access-list web extended permit tcp any any eq www >>> >>> class-map web >>> match access-list web >>> >>> policy-map global_policy >>> class web >>> inspect http >>> class inspection_default >>> inspect dns preset_dns_map >>> inspect ftp >>> inspect h323 h225 >>> inspect h323 ras >>> inspect netbios >>> inspect rsh >>> inspect rtsp >>> inspect skinny >>> inspect esmtp >>> inspect sqlnet >>> inspect sunrpc >>> inspect tftp >>> inspect sip >>> inspect xdmcp >>> inspect http >>> >>> ** >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
