Thank you so much Piotr.
Best Regards.
______________________
Adil
On Sep 19, 2010, at 12:55 PM, Piotr Matusiak wrote:
> Hi Adil,
>
> Basically it depends on the requirement. If you need to match more than one
L7 condition you must use a L7 class-map and then call it under L7 policy-map.
If there is only one L7 condition to match you can do that directly under L7
policy-map.
>
> Option 2 is enough IMO.
>
> If you reset a connection, then the ASA sends a TCP reset for traffic that
matches the condition.
> If you configure drop-connection, then the connection will be removed from
the connection database on the ASA.
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
>
>
> 2010/9/19 Adil Pasha <aspasha_at_gmail.com>
> I have the following situation where I have to block yahoo and msn
> messengers:
>
>
>
> Task 1:
>
> You don't want any users from the inside of ASA except for 10.22.22.97 and
> 10.22.22.98 to be able to use either MSN IM or Yahoo IM.
>
>
>
> OPTION-1:
> OPTION-2:
>
>
> access-list IM-ACL extended deny ip host 10.22.22.97 any
>
> access-list IM-ACL extended deny ip host 10.22.22.98 any
>
> access-list IM-ACL extended permit ip any any
>
> !
>
> class-map IM-BLOCK
>
> match access-list IM-ACL
>
> !
>
> class-map type inspect im match-all IM-TRAFFIC
>
> match protocol msn-im yahoo-im
>
> !
>
> policy-map type inspect im IM-PM
>
> class IM-TRAFFIC
>
> drop-connection
>
> !
>
> policy-map INSIDE-PM
>
> class IM-BLOCK
>
> inspect im IM-PM
>
> !
>
> service-policy INSIDE-PM interface inside
>
> !
>
> access-list IM-ACL extended deny tcp host 10.22.22.97 any
>
> access-list IM-ACL extended deny tcp host 10.22.22.98 any
>
> access-list IM-ACL extended permit tcp any any
>
> !
>
> class-map IM-BLOCK
>
> match access-list IM-ACL
>
> !
>
> policy-map type inspect im IM-PM
>
> match protocol msn-im yahoo-im
>
> reset
>
> !
>
> policy-map PM-BLOCKIM
>
> class IM-BLOCK
>
> inspect im IM-PM
>
> !
>
> service-policy PM-BLOCKIM interface Inside
>
> !
>
>
>
>
>
> I just wanted to clarify that if "policy-map type inspect im IM-PM allows
me
> to "match protocol msn-im yahoo-im" then why should I use the "class-map
> type inspect im match-all IM-TRAFFIC"?
>
> Can I use Option-2 where I did not use "class-may type inspect im match-all
> IM-TRAFFIC"?
>
> I know that "class-may type" and "policy-map type" are used for deep
> application packet inspection at layer-7. Class-map "type" classifies deep
> application packets. And policy-map "type" applies the action on deep
> application packets. But I am not clear when to use which option since both
> "class-may type" and "policy-map type" allow inspections in certain cases
as
> in the case above.
>
> Also what is the difference between "drop-connection" and "reset" and how
do
> I know which option to use?
>
>
>
> Thanks for all the help.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 19 2010 - 21:52:12 ART