Hello Michael, The ASA will create the class map, policy map and apply it globally using the fixup ICMP command. It just converts all the commands to MPF commands.
By using clear config fixup (with no class maps and policymaps ever ever created) the firewall will create everything from scratch and using the default values, (class inspection default, policy map global policy and even the service-policy) Mike Rojas > From: [email protected] > To: [email protected] > Date: Tue, 2 Oct 2012 00:47:48 +0100 > CC: [email protected] > Subject: Re: [OSL | CCIE_Security] Sometimes Default MPF Missing on ASAs > > piotr > > if the class and policy maps are missing from the config the how's is the asa > performing inspection and is the effectiveness of the firewall affected > > i've seen this myself but on two asa 5505s running 8.3 and i've been unsure > of what effect copying the class map etc onto a production box would have > > thanks > > This was sent from my Blackberry Device. > > ----- Original Message ----- > From: Piotr Matusiak [mailto:[email protected]] > Sent: Monday, October 01, 2012 08:56 PM > To: Jason Madsen <[email protected]> > Cc: [email protected] <[email protected]> > Subject: Re: [OSL | CCIE_Security] Sometimes Default MPF Missing on ASAs > > Jason, > > This is happening sometimes on 8.0 software. The trick I use it a command > 'fixup icmp' which is the old 'inspection' command and should get all MPF > configuration back. > Give it a try. > > Regards, > Piotr > > > On Oct 1, 2012, at 7:31 PM, Jason Madsen wrote: > > > Hi Group, > > > > I've come across situations where the default policy-map and default class > > inspection_defaul do not exist. Have seen sometimes (usually) ASAs will > > keep them after doing a "clear config all", but other times delete them > > after doing so. Is there something to reference within the CLI that shows > > what all of the default inspect statements are within the default policy in > > case we ever come across an ASA that does not have them already? I've > > usually just hopped over to another ASA somewhere and copied the defaults > > over, but I'm wondering if there's a way to get this information without > > having to do that and/or have to search for this info online. > > > > Thanks, > > Jason > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
