This is probably a dumb question, but I don't care : ) I don't understand the logic of this situation. Why should the traffic be inspected if it is explicitly denied in the first class map? At first glance, I would think it works as it should -- The traffic flow comes in, it is denied for inspection in the first class-map. Why would it pass through and be inspected by the class default?
On Thu, Mar 22, 2012 at 4:05 PM, Piotr Kaluzny <[email protected]> wrote: > Eugene, > > I don't believe "match not" is available in L3/4 class-map, at least it was > not in older versions of code > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > > On Thu, Mar 22, 2012 at 7:48 PM, Eugene Pefti <[email protected]> > wrote: >> >> Wouldn’t it be better to use “match not” statement in the first class-map >> to pass it to the default inspection class ? >> >> >> >> From: Piotr Kaluzny [mailto:[email protected]] >> Sent: 22 March 2012 11:43 >> To: Kingsley Charles >> Cc: Eugene Pefti; [email protected] >> Subject: Re: [OSL | CCIE_Security] Application not inspected once deniede >> >> >> >> It won't hit any other class, again it is a little bit different with >> "deny" in ACL than in MPF. >> >> The logic here is that the "deny" ACL entry actually matches the class as >> long as an action (like e.g. inspect) is configured for this class. The >> action will not be performed, however - it turns the specified action off >> for the flow - useful with "inspect" when you want to only allow passive or >> active FTP, not both. >> >> Regards, >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> On Thu, Mar 22, 2012 at 7:04 PM, Kingsley Charles >> <[email protected]> wrote: >> >> The denied http traffic should have been inspected by the next default >> class map which is not happening. >> >> With regards >> Kings >> >> >> >> On Thu, Mar 22, 2012 at 1:52 PM, Eugene Pefti <[email protected]> >> wrote: >> >> I fear I didn't understand your question, Kings. >> >> Isn't what you are doing with placing the custom web class-map in front of >> the default inspection class map to have the ASA inspection match first on >> the traffic to 10.20.30.40. >> >> Or your point why HTTP is not inspected in the first place if we use >> "deny" ACE? I believe we "permit" in the ACE to define the traffic that will >> be matched and "deny" to exclude it from matching >> >> >> >> Eugene >> >> >> >> From: Kingsley Charles <[email protected]> >> Date: Thu, 22 Mar 2012 12:59:24 +0530 >> To: <[email protected]> >> Subject: [OSL | CCIE_Security] Application not inspected once deniede >> >> >> >> Hi all >> >> In ASA, once if we deny the flow for inspection, it never gets inspected >> back in other policies. In the below configuration, http traffic to >> 10.20.30.40 is not inspected by the class inspection_default. >> >> Any comments? >> >> >> HTTP traffic to 10.20.30.40 not inspect under class inspection_default >> >> access-list web extended deny tcp any host 10.20.30.40 eq www >> access-list web extended permit tcp any any eq www >> >> class-map web >> match access-list web >> >> policy-map global_policy >> class web >> inspect http >> class inspection_default >> inspect dns preset_dns_map >> inspect ftp >> inspect h323 h225 >> inspect h323 ras >> inspect netbios >> inspect rsh >> inspect rtsp >> inspect skinny >> inspect esmtp >> inspect sqlnet >> inspect sunrpc >> inspect tftp >> inspect sip >> inspect xdmcp >> inspect http >> >> >> >> With regards >> Kings >> >> _______________________________________________ For more information >> regarding industry leading CCIE Lab training, please visit www.ipexpert.com >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
