ASA 8.4 Policy-map interface and global execution priority test

Source: Internet
Author: User
Tags server port firewall

I. Overview:

QQ Group has netizens to discuss the policy-map of the ASA firewall of the global and interface order of execution, from the literal meaning can be seen that the two application range is not the same, one is global call, a only in the interface down, Therefore feel that the detailed interface is first called, in order to confirm their own ideas, the decision to build environment verification.

Two. Basic ideas:

A. Non-conflicting POLICY-MAP estimates will be executed by the global and interface Service-policy, and cannot see the effect

B. Can only be used in conflict with the Policy-map, in the global and interface Service-policy in the same time, to see which of the final effective

C. The policy-map execution scope of the global and interface is not the same, and estimating the Policy-map of the interface will be executed by priority invocation, possibly in the following order:

①. Performs the service-policy of the interface and invokes the corresponding Policy-map, and if it is matched, does not perform the global Service-policy

②. If the policy-map of the interface is not matched, then the global service-policy is executed and the corresponding Policy-map is called

----was tested and found to be somewhat different from the imagination: if the interface policy-map the pass, it would be sent to the global Policy-map, unless it was discarded by the ACL of the class-map of the interface, or after being censored.

Three. Test topology:

10.1.1.0/24 (Inside) 200.100.1.0/24 (Outside)

PC1 (. 8)----------------------(. 1) ASA842 (. 1)----------------------------(. 8) PC2

The Web server port is: 2000

Four. Basic configuration:

A.PC1:

IP:10.1.1.8/24, gw:10.1.1.1

b.asa842 Firewall:

① Interface Configuration:

Interface GigabitEthernet0

Nameif Inside

Security-level 100

IP address 10.1.1.1 255.255.255.0

No shut

Interface GigabitEthernet1

Nameif Outside

Security-level 0

IP address 202.100.1.1 255.255.255.0

No shut

② Dynamic Pat Configuration:

Object Network Inside.net

Subnet 10.1.1.0 255.255.255.0

Object Network Inside.net

Nat (inside,outside) Dynamic interface

③ Static PAT configuration:

Object Network INSIDE.PC1

Host 10.1.1.8

Object Network INSIDE.PC1

Nat (inside,outside) static Interface Service TCP 2000 2000

④ Policy settings:

Access-list outside extended permit tcp any object INSIDE.PC1 EQ 2000

Access-group outside in interface outside

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.