33-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter33 Configuring Special Actions for Application Insp ections (Inspection Policy Map)
Identifying Traffic in an Inspection Class Map
Identifying Traffic in an Inspection Class Map
This type of class map allows you to match criteria that is specific to an application. For example, for
DNS traffic, you can match the domain name in a DNS query.
A class map groups multiple traffic matches (in a match-all class map), or lets you match any of a list of
matches (in a match-any class map). The difference between creating a class map and defining the traffic
match directly in the inspection policy map is that the class map lets you group multiple match
commands, and you can reuse class maps. For the traffic that you identify in this class map, you can
specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map.
If you want to perform different actions on different types of traffic, you should identify the traffic
directly in the policy map.
Restrictions
Not all applications support inspection class maps. See the CLI help for class-map type inspect for a
list of supported applications.
Detailed Steps
Command Purpose
Step1 (Optional)
Create a regular expression.
See the “Creating a Regular Expression” section on page13-12
and the “Creating a Regular Expression Class Map” section on
page 13-15.
Step2 class-map type inspect application
[match-all | match-any] class_map_name
Example:
hostname(config)# class-map type inspect
http http_traffic
hostname(config-cmap)#
Creates an inspection class map, where the application is the
application you want to inspect. For supported applications, see
the CLI help for a list of supported applications or see Chapter 42,
“Getting Started with Application Layer Protocol Inspection.”
The class_map_name argument is the name of the class map up to
40 characters in length.
The match-all keyword is the default, and specifies that traffic
must match all criteria to match the class map.
The match-any keyword specifies that the traffic matches the
class map if it matches at least one of the criteria.
The CLI enters class-map configuration mode, where you can
enter one or more match commands.