Hi Adil,
Basically it depends on the requirement. If you need to match more than one
L7 condition you must use a L7 class-map and then call it under L7
policy-map. If there is only one L7 condition to match you can do that
directly under L7 policy-map.
Option 2 is enough IMO.
If you reset a connection, then the ASA sends a TCP reset for traffic that
matches the condition.
If you configure drop-connection, then the connection will be removed from
the connection database on the ASA.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/9/19 Adil Pasha <aspasha_at_gmail.com>
> I have the following situation where I have to block yahoo and msn
> messengers:
>
>
>
> Task 1:
>
> You don't want any users from the inside of ASA except for 10.22.22.97 and
> 10.22.22.98 to be able to use either MSN IM or Yahoo IM.
>
>
>
> OPTION-1:
> OPTION-2:
>
>
> access-list IM-ACL extended deny ip host 10.22.22.97 any
>
> access-list IM-ACL extended deny ip host 10.22.22.98 any
>
> access-list IM-ACL extended permit ip any any
>
> !
>
> class-map IM-BLOCK
>
> match access-list IM-ACL
>
> !
>
> class-map type inspect im match-all IM-TRAFFIC
>
> match protocol msn-im yahoo-im
>
> !
>
> policy-map type inspect im IM-PM
>
> class IM-TRAFFIC
>
> drop-connection
>
> !
>
> policy-map INSIDE-PM
>
> class IM-BLOCK
>
> inspect im IM-PM
>
> !
>
> service-policy INSIDE-PM interface inside
>
> !
>
> access-list IM-ACL extended deny tcp host 10.22.22.97 any
>
> access-list IM-ACL extended deny tcp host 10.22.22.98 any
>
> access-list IM-ACL extended permit tcp any any
>
> !
>
> class-map IM-BLOCK
>
> match access-list IM-ACL
>
> !
>
> policy-map type inspect im IM-PM
>
> match protocol msn-im yahoo-im
>
> reset
>
> !
>
> policy-map PM-BLOCKIM
>
> class IM-BLOCK
>
> inspect im IM-PM
>
> !
>
> service-policy PM-BLOCKIM interface Inside
>
> !
>
>
>
>
>
> I just wanted to clarify that if "policy-map type inspect im IM-PM allows
> me
> to "match protocol msn-im yahoo-im" then why should I use the "class-map
> type inspect im match-all IM-TRAFFIC"?
>
> Can I use Option-2 where I did not use "class-may type inspect im match-all
> IM-TRAFFIC"?
>
> I know that "class-may type" and "policy-map type" are used for deep
> application packet inspection at layer-7. Class-map "type" classifies deep
> application packets. And policy-map "type" applies the action on deep
> application packets. But I am not clear when to use which option since both
> "class-may type" and "policy-map type" allow inspections in certain cases
> as
> in the case above.
>
> Also what is the difference between "drop-connection" and "reset" and how
> do
> I know which option to use?
>
>
>
> Thanks for all the help.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 19 2010 - 18:55:40 ART