1-5
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter1 Configuring a Service Policy
Licensing Requirements for Service Policies

Incompatibility of Certain Feature Actions

Some features are not compatible with each other for the same traffic. The following list may not include
all incompatibilities; for information about compatibility of each feature, see the chapter or section for
your feature:
You cannot configure QoS priority queueing and QoS policing for the same set of traffic.
Most inspections should not be combined with another inspection, so the ASA only applies one
inspection if you configure multiple inspections for the same traffic. HTTP inspection can be
combined with the Cloud Web Security inspection. Other exceptions are listed in the “Order in
Which Multiple Feature Actions are Applied” section on page1-4.
You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.
HTTP inspection is not compatible with the ASA CX.
The ASA CX is not compatible with Cloud Web Security.
Note The Default Inspection Traffic traffic class, which is used in the default global policy, is a special CLI
shortcut to match the default ports for all inspections. When used in a policy map, this class map ensures
that the correct inspection is applied to each packet, based on the destination port of the traffic. For
example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection;
when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you
can configure multiple inspections for the same class map. Normally, the ASA does not use the port
number to determine which inspection to apply, thus giving you the flexibility to apply inspections to
non-standard ports, for example.
This traffic class does not include the default ports for Cloud Web Security inspection (80 and 443).

Feature Matching for Multiple Service Policies

For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies
operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that
matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a
policy on another interface; only the first policy is used.
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while
the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound,
but will match virtual sensor 2 inbound.
Licensing Requirements for Service Policies