CHAPT ER
33-1
Cisco ASA 5500 Series Configuration Guide using the CLI
33
Configuring Special Actions for Application Inspections (Inspection Policy Map)
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map. When the inspection policy map matches traffic within the Layer
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted
upon as specified (for example, dropped or rate-limited).
This chapter includes the following sections:
Information About Inspection Policy Maps, page33-1
Guidelines and Limitations, page33-2
Default Inspection Policy Maps, page33-2
Defining Actions in an Inspection Policy Map, page33-2
Identifying Traffic in an Inspection Class Map, page33-6
Where to Go Next, page33-7

Information About Inspection Policy Maps

See the “Configuring Application Layer Protocol Inspection” section on page42-6 for a list of
applications that support inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
Inspection class map—(Not available for all applications. See the CLI help for a list of supported
applications.) An inspection class map includes traffic matching commands that match application
traffic with criteria specific to the application, such as a URL string. You then identify the class map
in the policy map and enable actions. The difference between creating a class map and defining the
traffic match directly in the inspection policy map is that you can create more complex match criteria
and you can reuse class maps.