This post builds up on the previous one. In this post we’ll be seeing how to create basic Policies for Inspecting/Policing traffic at the OSI Layers 3-4.
Scenario: Traffic from internal hosts destined to the internet needs to be capped at 5mb. They have a web server which is hosted at a different location reachable via the internet. Allow the internal users to be able to ping the web server for testing purposes.
Note: The required ACLs and NAT statements are already in place.
1. Define a Layer 3-4 class-map
First, we need to create ACLs that will be matching the type of traffic on which the policies will be applied. These are NOT interface ACLs, they are only created to match certain type of traffic and refer it in the class-map. (You have to separately define interface ACLs to permit the traffic through the ASA)
ciscoasa(config)# access-list icmp_inspect extended permit icmp 10.1.1.0 255.255.255.0 host 220.127.116.11 log ciscoasa(config)# access-list ratelimit_inside extended permit ip 10.1.1.0 255.255.255.0 any log
Now define the Layer 3-4 class map by referencing the above ACLs in it. Here we are defining two class-maps. One will be for inspecting ICMP and the other for limiting the bandwidth utilization of the internal hosts.
ciscoasa(config)# class-map ratelimit_class ciscoasa(config-cmap)# match access-list ratelimit_inside ciscoasa(config-cmap)# class-map icmp_class ciscoasa(config-cmap)# match access-list icmp_inspect
2. Define a Layer 3-4 policy-map
Once the class-maps are defined, use policy-maps to define the action to be taken when matching a particular class-map. You can add as many class-maps as you want in a single policy-map but every class-map that you add has to have a specific action assigned to it.
ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class icmp_class ciscoasa(config-pmap-c)# inspect icmp ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class ratelimit_class ciscoasa(config-pmap-c)# police input 41943000 4194304 ciscoasa(config-pmap-c)# police output 41943000 4194304
Did you notice how the prompt changes when you add each command? When you create a policy-map it enters the config-pmap prompt, then when you refer a class-map it goes into the config-pmap-c prompt wherein you define an action for the traffic matching that class.
3. Apply the policy-map to the appropriate interfaces
Since we are only concerned with the internal hosts on the inside interface we will apply the policy-map we created to the inside interface only.
ciscoasa(config)# service-policy company_policy interface inside
InternalHost#ping 18.104.22.168 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 22.214.171.124, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/27/44 ms ciscoasa(config)# show service-policy inter inside Interface inside: Service-policy: company_policy Class-map: icmp_class Inspect: icmp, packet 20, drop 0, reset-drop 0 Class-map: ratelimit_class Input police Interface inside: cir 49143000 bps, bc 4194304 bytes conformed 5 packets, 570 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps Output police Interface inside: cir 49143000 bps, bc 4194304 bytes conformed 15 packets, 1710 bytes; actions: transmit exceeded 0 packets, 0 bytes; actions: drop conformed 0 bps, exceed 0 bps
With the packet counts showing some numbers, you can be assured that the traffic is being matched and the class-maps and policy-maps are working as desired. :-)