37-5
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter37 Cisco Common Classifi cation Policy Language
Policy Map

Add an Inspection Policy Map

Inspection policy maps specify the action that the router will take for traffic that
matches the criteria in the associated class maps. The router can allow the traffic
to pass, can drop the traffic and optionally log the event, or can inspect the traffic.
The name and description that you enter will be visible in the Inspect Policy Maps
window. The Class Map and Action columns display the class maps associated
with this policy map, and the action that the router will take for the traffic that the
class map describes. Click Add to add a new class map to the list and configure
the action. Click Edit to modify the settings for a class map. Click the the Move
Up, and Move Down buttons to change the order in which the class maps are
evaluated.
Layer 7 Policy Map
This window allows you to select a Layer 7 Policy map to use to inspect an
application that you have selected. The window displays the policy maps available
for that application. Choose a policy map and click OK.
Application Inspection
Application inspection policies are applied at Layer 7 of the Open Systems
Interconnect (OSI) model, where user applications send and receive messages that
allow the applications to offer useful capabilities. Some applications might offer
undesired or vulnerable capabilities, so the messages associated with these
capabilities must be filtered to limit activities on the application services.
Cisco IOS Software Zone-Policy Firewall offers application inspection and
control on the following application services: HTTP, SMTP, POP3, IMAP,
SUNRPC, P2P, and IMAP applications. See the following links for more
information
Add an HTTP Inspection Class Map
Add or Edit an SMTP Class Map
Add or Edit a POP3 Class Map
Add or Edit an IMAP Class Map
Add or Edit a SUNRPC Class Map