Use the argument match-any.
Example:
Class-map type inspect match-any TEST
> Match access-group inside
> match protocol http
> match protocol ssh
> match protocol telnet
> match protocol snmp
> match protocol ftp
> match protocol icmp
> match protocol tcp
> match protocol udp
>
Babatunde Sanda B.Sc (Acct.) CCNP, CCVP, CCNA(R,S,V), MCSA, N+, A+.
:: Sent from my Iphone. Apologies for errors and brevity. ::
On Feb 28, 2011, at 5:38 AM, Chris Proctor <chris_at_cwproctor.net> wrote:
> I'm coming from an ASA/PIX command set mentality for firewalls. I
> don't see for the life of me why I have to specify each and every
> inspect and ACL pairing instead of the "global policy" setup like on the
> ASA.
>
> It really does feel like Dante's trip through hell. Everything is
> nested and recursing through potentially thousands of lines of config.
>
> I'd like to know how to do the following (example):
>
> permit access-group inside
> match protocol http
> match protocol ssh
> match protocol telnet
> match protocol snmp
> match protocol ftp
> match protocol icmp
> match protocol tcp
> match protocol udp
> inspect with best inspector for protocol
>
> Can this be done without using more than one class?
>
> Thanks!
>
> On 2/28/2011 6:56 AM, imran ali wrote:
>>
>>
>> On Mon, Feb 28, 2011 at 9:44 AM, Chris Proctor <chris_at_cwproctor.net
>> <mailto:chris_at_cwproctor.net>> wrote:
>>
>> Well, after beating my head against this for awhile I have come to
>> three conclusions (call it venting if you will):
>> 1.) Security zones are cool
>> 2.) Inspect maps are overly complex pieces of crap
>>
>> cant agree with u here ..did u studied cisoc doc first before jumping
>> to any vendor book ?
>>
>> 3.) Specialized inspect maps are even bigger pieces of crap
>>
>> partially agree with u
>>
>> I find myself hoping they won't get too carried away with this
>> subject. Working out all of the possible regex's, etc and nesting
>> of relationships could easily take me 20 hours for a complex
>> enough configuration. Can anyone tell me if I'm wasting my time
>> going through the lower levels of hell here?
>>
>> --
>> Chris Proctor
>>
>>
>> --
>> This message was scanned by ESVA and is believed to be clean.
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> This message was scanned by ESVA and is believed to be clean.
>> Click here to report this message as spam.
>> <https://mail-relay.cwproctor.net/cgi-bin/learn-msg.cgi?id=1C77F28006.A5F2C>
>
>
>
> --
> Chris Proctor
>
>
> --
> This message was scanned by ESVA and is believed to be clean.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 28 2011 - 09:31:00 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART