Cisco Systems ASA 5585-X Manual De Usuario
10-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
DNS Inspection
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
! ...
service-policy global_policy global
(Optional) Configuring a DNS Inspection Policy Map and Class Map
To match DNS packets with certain characteristics and perform special actions, create a DNS inspection
policy map. You can also configure a DNS inspection class map to group multiple match criteria for
reference within the inspection policy map. You can then apply the inspection policy map when you
enable DNS inspection.
policy map. You can also configure a DNS inspection class map to group multiple match criteria for
reference within the inspection policy map. You can then apply the inspection policy map when you
enable DNS inspection.
Prerequisites
If you want to match a DNS message domain name list, then create a regular expression using one of the
methods below:
methods below:
•
Create a regular expression (see the general operations configuration guide).
•
Create a regular expression class map (see the general operations configuration guide).
Detailed Steps
Command
Purpose
Step 1
Do one of the following:
class-map type
inspect dns [match-all |
match-any
] class_map_name
Example:
ciscoasa(config)# class-map type inspect
dns match-all dns-class-map
Creates a DNS inspection class map, where class_map_name is
the name of the class map. The match-all keyword is the default,
and specifies that traffic must match all criteria to match the class
map. The match-any keyword specifies that the traffic matches
the class map if it matches at least one of the criteria.
the name of the class map. The match-all keyword is the default,
and specifies that traffic must match all criteria to match the class
map. The match-any keyword specifies that the traffic matches
the class map if it matches at least one of the criteria.
A class map groups multiple traffic matches. You can
alternatively identify match commands directly in the policy
map. The difference between creating a class map and defining
the traffic match directly in the inspection policy map is that the
class map lets you create more complex match criteria, and you
can reuse class maps.
alternatively identify match commands directly in the policy
map. The difference between creating a class map and defining
the traffic match directly in the inspection policy map is that the
class map lets you create more complex match criteria, and you
can reuse class maps.
The CLI enters class-map configuration mode, where you can
enter one or more match or match not commands.
enter one or more match or match not commands.
For the traffic that you identify in this class map, you can only
specify actions (such as drop) for the entire class. If you want to
perform different actions for each match command, you should
identify the traffic directly in the policy map.
specify actions (such as drop) for the entire class. If you want to
perform different actions for each match command, you should
identify the traffic directly in the policy map.