CCNA Security 29

The Cisco Modular Policy Framework allows configuration of firewall, and a lot of other services like QoS, through a simple language. The Modular Policy Framework uses a subset of the commands found in MQC (Modular QoS CLI). The MPF consists of three components:1) Class-Maps - Classifies traffic by protocol, ACLs, etc.
2) Policy-Maps - Specifies action to take when class-map is matched (Pass, Drop, Inspect, IPS, Police, Shape, etc).
3) Service-Policy - Maps a policy-map to an interface and direction.

The order specified above is the order we create the components in the CLI. However, for the ASDM, we'll do it the other way round.

Classes are good because they can be reused over and over for policies. This makes things modular. For example, we can group all web traffic into a single class-map, then apply it to multiple policy-maps.

There are many ways a class-map can match traffic. These are ACLs, Default-Inspection-Traffic, DSCP, Flow, Ports, Precedence, RTP Ports, VPN Tunnel-Group.

In this example, I'm going to create a class-map to match INTERNET traffic. First, we'll create the object-group for the webservers:
!Create WEBSERVERS group
object-group network WEBSERVERS
network-object host 2.2.2.2
network-object host 2.2.2.3

Next, I'm going to group all related traffic types:
!Create WEBTRAFFIC group
object-group service WEBTRAFFIC tcp
port-object eq 80
port-object eq 443

We'll bring the groups together using an ACL:
!Create ACL
access-list AINTERNET extended permit tcp any object-group WEBSERVERS object-group WEBTRAFFIC

Then we'll apply the ACL to the class-map:
!Create Class-Map
class-map type CINTERNET
match access-list AINTERNET

Finally, we'll define the actions to take using the policy-map:
!Create Policy-Map
policy-map PINTERNET
class-map CINTERNET
ips

Finally we'll active the service-policy by associating it to the interface:
!Apply to interface using Service-Policy
service-policy IPSINTERNETOUTSIDE interface OUTSIDE

Note that the "ips" command is only available if your ASA supports IPS. You can use multiple class-maps in a single policy-map, but the action assigned to the first match will be applied. After implementing, you can

The way ASA processes the policies is in an order. This is:
1) TCP Processing
2) CSC/AIP-SSM
3) Application Inspection
4) IPS
5) QoS Input Policing
6) QoS Output Policing
7) QoS Priority Queuing

To configure all these from ASDM, we'll have to browse to Configuration - Firewall - Service Policy Rules.