По умолчанию на ASA имеем следующие политики:
policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global
Ко всему этому мы добавим следующую конструкцию:
object-group network FIREPOWER_SOURCE_obj network-object host 10.5.14.45 access-list FIREPOWER_acl extended permit ip object-group FIREPOWER_SOURCE_obj any ! The class map class-map firePOWER-class description class to send all traffic to the Firepower module ! Matching all traffic to be sent to the Firepower module match access-list FIREPOWER_acl ! ! Applying the class to the policy map policy-map global_policy class firePOWER-class ! The Firepower module configured to fail open sfr fail-open
Добавить комментарий