32-20

Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter32 Configuring a Service Policy Using the Modular Polic y Framework
Configuration Examples for Modular Policy Framework
hostname(config)# policy-map http_traffic_policy
hostname(config-pmap)# class http_traffic
hostname(config-pmap-c)# inspect http
hostname(config)# service-policy http_traffic_policy global
Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

In this example (see Figure32-3), any HTTP connection destined for Server A (TCP traffic on port 80)

that enters the ASA through the outside interface is classified for HTTP inspection and maximum

connection limits. Connections initiated from Server A to Host A does not match the access list in the

class map, so it is not affected.

Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified

for HTTP inspection. Connections initiated from Server B to Host B does not match the access list in the

class map, so it is not affected.

Figure32-3 HTTP Inspection and Connection Limits to Specific Servers
See the following commands for this example:
hostname(config)# object network obj-192.168.1.2
hostname(config-network-object)# host 192.168.1.2
hostname(config-network-object)# nat (inside,outside) static 209.165.201.1
hostname(config)# object network obj-192.168.1.0
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 209.165.201.2
hostname(config)# access-list serverA extended permit tcp any host 209.165.201.1 eq 80
hostname(config)# access-list ServerB extended permit tcp any host 209.165.200.227 eq 80
hostname(config)# class-map http_serverA
hostname(config-cmap)# match access-list serverA
hostname(config)# class-map http_serverB
hostname(config-cmap)# match access-list serverB
hostname(config)# policy-map policy_serverA
hostname(config-pmap)# class http_serverA
hostname(config-pmap-c)# inspect http
hostname(config-pmap-c)# set connection conn-max 100
hostname(config)# policy-map policy_serverB
hostname(config-pmap)# class http_serverB
hostname(config-pmap-c)# inspect http
inside outside
Server A
Real Address: 192.168.1.2
Mapped Address: 209.165.201.1
Host B
Real Address: 192.168.1.1
Mapped Address: 209.165.201.2:

port

Host A
209.165.200.226
Server B
209.165.200.227
port 80
port 80
insp.
insp.
set conns
143357
Security
appliance