Eugene, I don't believe "match not" is available in L3/4 class-map, at least it was not in older versions of code
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Thu, Mar 22, 2012 at 7:48 PM, Eugene Pefti <[email protected]>wrote: > Wouldn’t it be better to use “match not” statement in the first > class-map to pass it to the default inspection class ?**** > > ** ** > > *From:* Piotr Kaluzny [mailto:[email protected]] > *Sent:* 22 March 2012 11:43 > *To:* Kingsley Charles > *Cc:* Eugene Pefti; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Application not inspected once > deniede**** > > ** ** > > It won't hit any other class, again it is a little bit different with > "deny" in ACL than in MPF. > > The logic here is that the "deny" ACL entry actually matches the class as > long as an action (like e.g. inspect) is configured for this class. The > action will not be performed, however - it turns the specified action off > for the flow - useful with "inspect" when you want to only allow passive or > active FTP, not both. > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > **** > > On Thu, Mar 22, 2012 at 7:04 PM, Kingsley Charles < > [email protected]> wrote:**** > > The denied http traffic should have been inspected by the next default > class map which is not happening. > > With regards > Kings**** > > ** ** > > On Thu, Mar 22, 2012 at 1:52 PM, Eugene Pefti <[email protected]> > wrote:**** > > I fear I didn't understand your question, Kings.**** > > Isn't what you are doing with placing the custom web class-map in front of > the default inspection class map to have the ASA inspection match first on > the traffic to 10.20.30.40. **** > > Or your point why HTTP is not inspected in the first place if we use > "deny" ACE? I believe we "permit" in the ACE to define the traffic that > will be matched and "deny" to exclude it from matching**** > > ** ** > > Eugene**** > > ** ** > > *From: *Kingsley Charles <[email protected]> > *Date: *Thu, 22 Mar 2012 12:59:24 +0530 > *To: *<[email protected]> > *Subject: *[OSL | CCIE_Security] Application not inspected once deniede*** > * > > ** ** > > Hi all > > In ASA, once if we deny the flow for inspection, it never gets inspected > back in other policies. In the below configuration, http traffic to > 10.20.30.40 is not inspected by the class inspection_default. > > Any comments? > > > *HTTP traffic to 10.20.30.40 not inspect under class inspection_default* > > access-list web extended deny tcp any host 10.20.30.40 eq www > access-list web extended permit tcp any any eq www > > class-map web > match access-list web > > policy-map global_policy > class web > inspect http > class inspection_default > inspect dns preset_dns_map > inspect ftp > inspect h323 h225 > inspect h323 ras > inspect netbios > inspect rsh > inspect rtsp > inspect skinny > inspect esmtp > inspect sqlnet > inspect sunrpc > inspect tftp > inspect sip > inspect xdmcp > inspect http > > > > With regards > Kings**** > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com **** > > ** ** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
