Solved

ASA 5505 Policy Map global_policy

Posted on 2014-11-10
3
1,046 Views
Last Modified: 2014-11-11
Can someone please explain in plain English an explanation\summary of what the Policy map actually does? It inspects the protocols listed underneath I suppose, but how does it define inspect?

Does it matter what order the protocols are inspected in? For example some of my ASA's have this at the bottom of the policy-map global_policy, while others have it in the middle.
inspect ip-options
  inspect icmp

I also see an ACL for this entry below but the global_mpc (which I assume is global map policy?),  isnt in the policy-map global_policy. What is the purpose of "policy-map global_policy"?

# show run access-list global_mpc
access-list global_mpc extended permit ip any any


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect icmp
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
0
Comment
Question by:tolinrome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40434849
Policy maps are the bit in the middle :) service policy<>Policy Maps<>Class Maps
You can have one global service-policy, and a service policy for each interface (applied inbound and outbound)
so you define what you want to look at/restrict/ police etc with a class map like this.... (this will classify all traffic to and from 10.254.254.90) SO A CLASS MAP CLASSIFIES SOMETHING (IN THIS CASE TRAFFIC)
PetesASA(config)# access-list ACL-THROTTLE extended permit ip host 10.254.254.90 any
PetesASA(config)# access-list ACL-THROTTLE extended permit ip any host 10.254.254.90
PetesASA(config)# class-map CM-THROTTLE
PetesASA(config-cmap)# match access-list ACL-THROTTLE
PetesASA(config-cmap)# exit

Open in new window

Now I need to decide what to do with that traffic, lets say I want to throttle it so it cant steal all my bandwidth I use a policy map POLICY MAPS APPLY AN ACTION TO A CLASS MAP
PetesASA(config)# policy-map PM-THROTTLE
PetesASA(config-pmap)# class CM-THROTTLE
PetesASA(config-pmap-c)# police output 1000000 2000
PetesASA(config-pmap-c)# police input 1000000 2000
PetesASA(config-pmap-c)# exit
PetesASA(config-pmap)# exit

Open in new window

Then I either apply that with a global service-policy (like the one you have above in your config you will also have a line that looks like this to apply that policy SERVICE-POLICIES APPLY POLICY-MAPS
PetesASA(config)# service-policy global_policy global

Open in new window

So to throttle my traffic Id use
PetesASA(config)# service-policy PM-THROTTLE interface inside

Open in new window

0
 
LVL 7

Author Comment

by:tolinrome
ID: 40435431
great and thorough explanation, thanks.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40436111
My Pleasure ThanQ
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
slow WAN performance - ESXi WAN vSwitch 27 71
Cisco Nexus 5 61
Downloaded Intel Graphic Drivers now all screen views are distorted. 17 81
CISCO WIFI 6 73
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question