Techrunner
asked on
Cisco ASA policy-map not matching the specific traffic
Hello Experts,
I have two service policies configured on ASA box. I have default existing global policy and I created another service policy applied to each interface.
This is the current configuration of service policies
I'm trying to configure new class-map to match specific traffic, however the new class-map is not working. After doing the packet-tracer the traffic ( between these hosts ) still uses the class-map "conn-limit-class"
The purpose of new class map is to set connection limit unlimited between the specified hosts.
I'd highly appreciate any help.
Many thanks in advance
I have two service policies configured on ASA box. I have default existing global policy and I created another service policy applied to each interface.
This is the current configuration of service policies
service-policy global_policy global
service-policy conn-limit-policy interface outside
service-policy conn-limit-policy interface inside
service-policy conn-limit-policy interface dmz
class-map conn-limit-class
match any
policy-map conn-limit-policy
class conn-limit-class
set connection embryonic-conn-max 100 per-client-embryonic-max 50 random-sequence-number disable
set connection timeout embryonic 0:00:10 idle 0:10:00
I'm trying to configure new class-map to match specific traffic, however the new class-map is not working. After doing the packet-tracer the traffic ( between these hosts ) still uses the class-map "conn-limit-class"
The purpose of new class map is to set connection limit unlimited between the specified hosts.
access-list ACL-TEST-CONN-LIMIT line 1 extended permit tcp host 172.16.1.17 host 10.1.2.127 eq 1522
class-map CM-TEST-CONN-LIMIT
match access-list ACL-TEST-CONN-LIMIT
policy-map conn-limit-policy
class conn-limit-class
set connection embryonic-conn-max 100 per-client-embryonic-max 50 random-sequence-number disable
set connection timeout embryonic 0:00:10 idle 0:10:00
class CM-TEST-CONN-LIMIT
set connection timeout embryonic 0:00:00 half-closed 0:00:00 idle 0:00:00
I'd highly appreciate any help.
Many thanks in advance
ASKER
Thanks Pete
How can I force the ASA to use second rule for the specific traffic
How can I force the ASA to use second rule for the specific traffic
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>class conn-limit-class
Which is applied to any - so it matches
>>class-map conn-limit-class
>> match any