Home > Others

ASA 8.4 Policy-map interface and global execution priority test

Source: Internet
Author: User
Tags server port firewall
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

I. Overview:

QQ Group has netizens to discuss the policy-map of the ASA firewall of the global and interface order of execution, from the literal meaning can be seen that the two application range is not the same, one is global call, a only in the interface down, Therefore feel that the detailed interface is first called, in order to confirm their own ideas, the decision to build environment verification.

Two. Basic ideas:

A. Non-conflicting POLICY-MAP estimates will be executed by the global and interface Service-policy, and cannot see the effect

B. Can only be used in conflict with the Policy-map, in the global and interface Service-policy in the same time, to see which of the final effective

C. The policy-map execution scope of the global and interface is not the same, and estimating the Policy-map of the interface will be executed by priority invocation, possibly in the following order:

①. Performs the service-policy of the interface and invokes the corresponding Policy-map, and if it is matched, does not perform the global Service-policy

②. If the policy-map of the interface is not matched, then the global service-policy is executed and the corresponding Policy-map is called

----was tested and found to be somewhat different from the imagination: if the interface policy-map the pass, it would be sent to the global Policy-map, unless it was discarded by the ACL of the class-map of the interface, or after being censored.

Three. Test topology:

10.1.1.0/24 (Inside) 200.100.1.0/24 (Outside)

PC1 (. 8)----------------------(. 1) ASA842 (. 1)----------------------------(. 8) PC2

The Web server port is: 2000

Four. Basic configuration:

A.PC1:

IP:10.1.1.8/24, gw:10.1.1.1

b.asa842 Firewall:

① Interface Configuration:

Interface GigabitEthernet0

Nameif Inside

Security-level 100

IP address 10.1.1.1 255.255.255.0

No shut

Interface GigabitEthernet1

Nameif Outside

Security-level 0

IP address 202.100.1.1 255.255.255.0

No shut

② Dynamic Pat Configuration:

Object Network Inside.net

Subnet 10.1.1.0 255.255.255.0

Object Network Inside.net

Nat (inside,outside) Dynamic interface

③ Static PAT configuration:

Object Network INSIDE.PC1

Host 10.1.1.8

Object Network INSIDE.PC1

Nat (inside,outside) static Interface Service TCP 2000 2000

④ Policy settings:

Access-list outside extended permit tcp any object INSIDE.PC1 EQ 2000

Access-group outside in interface outside

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
global dns test local and global variables local variables and global variables class and interface difference interface and abstract class outside local and outside global java test class implements interface

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More