Refer to the exhibit. Which statement about the policy map named test is true?
A.
Only HTTP inspection will be applied to the TCP port 21 traffic.
B.
Only FTP inspection will be applied to the TCP port 21 traffic.
C.
both HTTP and FTP inspections will be applied to the TCP port 21 traffic.
D.
No inspection will be applied to the TCP port 21 traffic, because the http class map configuration conflicts with the ftp class map
E.
All FTP traffic will be denied, because the FTP traffic will fail the HTTP inspection.
This answer is wrong, the correct one is A.
A packet can match only one class map in the policy map for each feature type, it matches the first one configured.
More info: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/mpf.pdf
hi luis take a look chapter 9 ,this is tricky question consider port 21 on both class answer B is correct,http is just class name not protocol this case
i’ve configured this policy, applyed to interface, and checked the packet flow throug asa 8.4 – it seems, that answer B is correct:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map http
match port tcp eq ftp
policy-map test
class http
inspect http
service-policy test interface inside
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbe1dd160, priority=72, domain=inspect-http, deny=false
hits=2, user_data=0xbe1d1028, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map ftp
match port tcp eq ftp
policy-map test
class ftp
inspect ftp
service-policy test interface inside
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbe1dd970, priority=72, domain=inspect-ftp, deny=false
hits=2, user_data=0xbe1dd808, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
input_ifc=inside, output_ifc=any
This question is not asked in the correct way. But it seems that the correct answer is C – both. As mk test have test it we can see that in packet-tracer test there are two steps for inspection first is the http and the second one is ftp. I have also test it and the result is the same. However we remove one of the insect from the policy the inspect steps in packet-tracer are less:
ciscoasa# show service-policy
Interface inside:
Service-policy: test
Class-map: ftp
Inspect: ftp, packet 0, drop 0, reset-drop 0
ciscoasa# packet-tracer input inside tcp 10.10.100.50 3323 8.8.8.8 21 detailed
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map ftp
match port tcp eq ftp
policy-map test
class ftp
inspect ftp
service-policy test interface inside
Additional Information:
…
Phase: 5
Type: NAT
Subtype:
ciscoasa# show service-policy
Interface inside:
Service-policy: test
Class-map: ftp
Inspect: ftp, packet 0, drop 0, reset-drop 0
Class-map: http
Inspect: ftp, packet 0, drop 0, reset-drop 0
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map ftp
match port tcp eq ftp
policy-map test
class ftp
inspect ftp
service-policy test interface inside
Additional Information:
….
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map http
match port tcp eq ftp
policy-map test
class http
inspect http
service-policy test interface inside
Additional Information:
Also it seems that the inspection is based on the order if the policy-map, not the class map.
Cheers.
Correct answer is