Wouldn't it be better to use "match not" statement in the first class-map to pass it to the default inspection class ?
From: Piotr Kaluzny [mailto:[email protected]] Sent: 22 March 2012 11:43 To: Kingsley Charles Cc: Eugene Pefti; [email protected] Subject: Re: [OSL | CCIE_Security] Application not inspected once deniede It won't hit any other class, again it is a little bit different with "deny" in ACL than in MPF. The logic here is that the "deny" ACL entry actually matches the class as long as an action (like e.g. inspect) is configured for this class. The action will not be performed, however - it turns the specified action off for the flow - useful with "inspect" when you want to only allow passive or active FTP, not both. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Mar 22, 2012 at 7:04 PM, Kingsley Charles <[email protected]<mailto:[email protected]>> wrote: The denied http traffic should have been inspected by the next default class map which is not happening. With regards Kings On Thu, Mar 22, 2012 at 1:52 PM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: I fear I didn't understand your question, Kings. Isn't what you are doing with placing the custom web class-map in front of the default inspection class map to have the ASA inspection match first on the traffic to 10.20.30.40. Or your point why HTTP is not inspected in the first place if we use "deny" ACE? I believe we "permit" in the ACE to define the traffic that will be matched and "deny" to exclude it from matching Eugene From: Kingsley Charles <[email protected]<mailto:[email protected]>> Date: Thu, 22 Mar 2012 12:59:24 +0530 To: <[email protected]<mailto:[email protected]>> Subject: [OSL | CCIE_Security] Application not inspected once deniede Hi all In ASA, once if we deny the flow for inspection, it never gets inspected back in other policies. In the below configuration, http traffic to 10.20.30.40 is not inspected by the class inspection_default. Any comments? HTTP traffic to 10.20.30.40 not inspect under class inspection_default access-list web extended deny tcp any host 10.20.30.40 eq www access-list web extended permit tcp any any eq www class-map web match access-list web policy-map global_policy class web inspect http class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect http With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
