Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA 5505 Policy Map global_policy

Posted on 2014-11-10
3
Medium Priority
?
1,233 Views
Last Modified: 2014-11-11
Can someone please explain in plain English an explanation\summary of what the Policy map actually does? It inspects the protocols listed underneath I suppose, but how does it define inspect?

Does it matter what order the protocols are inspected in? For example some of my ASA's have this at the bottom of the policy-map global_policy, while others have it in the middle.
inspect ip-options
  inspect icmp

I also see an ACL for this entry below but the global_mpc (which I assume is global map policy?),  isnt in the policy-map global_policy. What is the purpose of "policy-map global_policy"?

# show run access-list global_mpc
access-list global_mpc extended permit ip any any


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect icmp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
0
Comment
Question by:tolinrome
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 40434849
Policy maps are the bit in the middle :) service policy<>Policy Maps<>Class Maps
You can have one global service-policy, and a service policy for each interface (applied inbound and outbound)
so you define what you want to look at/restrict/ police etc with a class map like this.... (this will classify all traffic to and from 10.254.254.90) SO A CLASS MAP CLASSIFIES SOMETHING (IN THIS CASE TRAFFIC)
PetesASA(config)# access-list ACL-THROTTLE extended permit ip host 10.254.254.90 any
PetesASA(config)# access-list ACL-THROTTLE extended permit ip any host 10.254.254.90
PetesASA(config)# class-map CM-THROTTLE
PetesASA(config-cmap)# match access-list ACL-THROTTLE
PetesASA(config-cmap)# exit

Open in new window

Now I need to decide what to do with that traffic, lets say I want to throttle it so it cant steal all my bandwidth I use a policy map POLICY MAPS APPLY AN ACTION TO A CLASS MAP
PetesASA(config)# policy-map PM-THROTTLE
PetesASA(config-pmap)# class CM-THROTTLE
PetesASA(config-pmap-c)# police output 1000000 2000
PetesASA(config-pmap-c)# police input 1000000 2000
PetesASA(config-pmap-c)# exit
PetesASA(config-pmap)# exit

Open in new window

Then I either apply that with a global service-policy (like the one you have above in your config you will also have a line that looks like this to apply that policy SERVICE-POLICIES APPLY POLICY-MAPS
PetesASA(config)# service-policy global_policy global

Open in new window

So to throttle my traffic Id use
PetesASA(config)# service-policy PM-THROTTLE interface inside

Open in new window

0
 
LVL 7

Author Comment

by:tolinrome
ID: 40435431
great and thorough explanation, thanks.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40436111
My Pleasure ThanQ
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Make the most of your online learning experience.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question