EasyManuals Logo
Home>Cisco>Network Hardware>ASA Series

Cisco ASA Series Configuration Guide

Cisco ASA Series
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #247 background imageLoading...
Page #247 background image
11-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
Configure Service Policies
Identify Traffic (Layer 3/4 Class Maps)
A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. You can create
multiple Layer 3/4 class maps for each Layer 3/4 policy map.
Create a Layer 3/4 Class Map for Through Traffic, page 11-13
Create a Layer 3/4 Class Map for Management Traffic, page 11-15
Create a Layer 3/4 Class Map for Through Traffic
A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4
attributes.
Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect
all traffic, for example using match any, the ASA performance can be impacted.
Procedure
Step 1 Create a Layer 3/4 class map, where class_map_name is a string up to 40 characters in length.
class-map class_map_name
The name “class-default” is reserved. All types of class maps use the same name space, so you cannot
reuse a name already used by another type of class map. The CLI enters class-map configuration mode.
Example:
hostname(config)# class-map all_udp
Step 2 (Optional) Add a description to the class map.
description string
Example:
hostname(config-cmap)# description All UDP traffic
Step 3 Match traffic using one of the following commands. Unless otherwise specified, you can include only
one match command in the class map.
match any—Matches all traffic.
hostname(config-cmap)# match any
match access-list access_list_name—Matches traffic specified by an extended ACL. If the ASA is
operating in transparent firewall mode, you can use an EtherType ACL.
hostname(config-cmap)# match access-list udp
match port {tcp | udp} {eq port_num | range port_num port_num}—Matches TCP or UDP
destination ports, either a single port or a contiguous range of ports. For applications that use
multiple, non-contiguous ports, use the match access-list command and define an ACE to match
each port.
hostname(config-cmap)# match tcp eq 80
match default-inspection-traffic—Matches default traffic for inspection: the default TCP and
UDP ports used by all applications that the ASA can inspect.

Table of Contents

Other manuals for Cisco ASA Series

Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Mount And Connect
Mount And Connect12 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
BrandCisco
ModelASA Series
CategoryNetwork Hardware
LanguageEnglish

Related product manuals