Link to home
Start Free TrialLog in
Avatar of Techrunner
Techrunner

asked on

Cisco ASA policy-map not matching the specific traffic

Hello Experts,

I have two service policies configured on ASA box. I have default existing global policy and I created another service policy applied to each interface.
This is the current configuration of service policies

service-policy global_policy global
service-policy conn-limit-policy interface outside
service-policy conn-limit-policy interface inside
service-policy conn-limit-policy interface dmz

class-map conn-limit-class
 match any

policy-map conn-limit-policy
 class conn-limit-class
  set connection embryonic-conn-max 100 per-client-embryonic-max 50 random-sequence-number disable
  set connection timeout embryonic 0:00:10 idle 0:10:00

Open in new window


I'm trying to configure new class-map to match specific traffic, however the new class-map is not working. After doing the packet-tracer the traffic ( between these hosts ) still uses the class-map "conn-limit-class"

The purpose of new class map is to set connection limit unlimited between the specified hosts.

access-list ACL-TEST-CONN-LIMIT line 1 extended permit tcp host 172.16.1.17 host 10.1.2.127 eq 1522
class-map CM-TEST-CONN-LIMIT
 match access-list ACL-TEST-CONN-LIMIT

policy-map conn-limit-policy
 class conn-limit-class
  set connection embryonic-conn-max 100 per-client-embryonic-max 50 random-sequence-number disable
  set connection timeout embryonic 0:00:10 idle 0:10:00 
 class CM-TEST-CONN-LIMIT
  set connection timeout embryonic 0:00:00 half-closed 0:00:00 idle 0:00:00

Open in new window


I'd highly appreciate any help.

Many thanks in advance
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Because it hits this one first

>>class conn-limit-class

Which is applied to any - so it matches

>>class-map conn-limit-class
>> match any
Avatar of Techrunner
Techrunner

ASKER

Thanks Pete
How can I force the ASA to use second rule for the specific traffic
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial