Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

36-9

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter36 Configuring a Service Policy

Adding a Service Policy Rule for Through Traffic

c. (Optional) Enter a description in the Description field.

•Global - applies to all interfaces. This option applies the service policy globally to all interfaces.

By default, a global policy exists that includes a service policy rule for default application

inspection. See the “Default Settings” section on page 36-6 for more information. You can add a rule

to the global policy using the wizard.

a. If it is a new service policy, enter a name in the Policy Name field.

b. (Optional) Enter a description in the Description field.

Step3 Click Next.

The Add Service Policy Rule Wizard - Traffic Classification Criteria dialog box appears.

Step4 Click one of the following options to specify the traffic to which to apply the policy actions:

•Create a new traffic class. Enter a traffic class name in the Create a new traffic class field, and enter

an optional description.

Identify the traffic using one of several criteria:

–

Default Inspection Traffic—The class matches the default TCP and UDP ports used by all

applications that the ASA can inspect.

This option, which is used in the default global policy, is a special shortcut that when used in a

rule, ensures that the correct inspection is applied to each packet, based on the destination port

of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies

the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP

inspection. So in this case only, you can configure multiple inspections for the same rule (See

the “Incompatibility of Certain Feature Actions” section on page36-5 for more information

about combining actions). Normally, the ASA does not use the port number to determine the

inspection applied, thus giving you the flexibility to apply inspections to non-standard ports, for

example.

See the “Default Settings” section on page 46-4 for a list of default ports. The ASA includes a

default global policy that matches the default inspection traffic, and applies common

inspections to the traffic on all interfaces. Not all applications whose ports are included in the

Default Inspection Traffic class are enabled by default in the policy map.

You can specify a Source and Destination IP Address (uses ACL) class along with the Default

Inspection Traffic class to narrow the matched traffic. Because the Default Inspection Traffic

class specifies the ports and protocols to match, any ports and protocols in the access list are

ignored.

–

Source and Destination IP Address (uses ACL)—The class matches traffic specified by an

extended access list. If the ASA is operating in transparent firewall mode, you can use an

EtherType access list.

Note When you create a new traffic class of this type, you can only specify one access control

entry (ACE) initially. After you finish adding the rule, you can add additional ACEs by

adding a new rule to the same interface or global policy, and then specifying Add rule

to existing traffic class on the Traffic Classification dialog box (see below).

–

Tunnel Group—The class matches traffic for a tunnel group to which you want to apply QoS.

You can also specify one other traffic match option to refine the traffic match, excluding Any

Traffic, Source and Destination IP Address (uses ACL), or Default Inspection Traffic.

–

TCP or UDP Destination Port—The class matches a single port or a contiguous range of ports.

Cisco Systems - page 839

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505