32-17
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter32 Configuring a Service Policy Using the Modular Policy Framework
Applying Actions to an Interface (Service Policy)
The following example shows how traffic matches the first available class map, and will not match any
subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic
hostname(config-cmap)# match port tcp eq 23
hostname(config)# class-map ftp_traffic
hostname(config-cmap)# match port tcp eq 21
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match port tcp range 1 65535
hostname(config)# class-map udp_traffic
hostname(config-cmap)# match port udp range 0 65535
hostname(config)# policy-map global_policy
hostname(config-pmap)# class telnet_traffic
hostname(config-pmap-c)# set connection timeout idle 0:0:0
hostname(config-pmap-c)# set connection conn-max 100
hostname(config-pmap)# class ftp_traffic
hostname(config-pmap-c)# set connection timeout idle 0:5:0
hostname(config-pmap-c)# set connection conn-max 50
hostname(config-pmap)# class tcp_traffic
hostname(config-pmap-c)# set connection timeout idle 2:0:0
hostname(config-pmap-c)# set connection conn-max 2000
When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is
initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match
class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the ASA does
not make this match because they previously matched other classes.
Applying Actions to an Interface (Service Policy)
To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or
that applies it globally to all interfaces.
Restrictions
You can only apply one global policy, so if you want to alter the global policy, you need to either edit
the default policy or disable it and apply a new one. By default, the configuration includes a global policy
that matches all default application inspection traffic and applies inspection to the traffic globally. The
default service policy includes the following command:
service-policy global_policy global