Cisco Systems ASA 5585-X Manual De Usuario
10-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
DNS Inspection
Examples
The following example shows a how to use a new inspection policy map in the global default
configuration:
configuration:
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
inspect dns new_dns_map
service-policy global_policy global
Monitoring DNS Inspection
To view information about the current DNS connections, enter the following command:
ciscoasa# show conn
Step 3
policy-map
name
Example:
ciscoasa(config)# policy-map global_policy
Adds or edits a policy map that sets the actions to take with the
class map traffic.
class map traffic.
In the default configuration, the global_policy policy map is
assigned globally to all interfaces. If you want to edit the
global_policy, enter global_policy as the policy name.
assigned globally to all interfaces. If you want to edit the
global_policy, enter global_policy as the policy name.
Step 4
class
name
Example:
ciscoasa(config-pmap)# class
inspection_default
Identifies the class map created in
.
To edit the default policy, or to use the special inspection_default
class map in a new policy, specify inspection_default for the
name.
class map in a new policy, specify inspection_default for the
name.
Step 5
inspect dns
[dns_policy_map]
[dynamic-filter-snoop]
Example:
ciscoasa(config-class)# no inspect dns
ciscoasa(config-class)# inspect dns
dns-map
Configures DNS inspection. Specify the inspection policy map
you created in the
you created in the
For information about the Botnet Traffic Filter
dynamic-filter-snoop keyword, see the
dynamic-filter-snoop keyword, see the
.
Note
If you are editing the default global policy (or any in-use
policy) to use a different DNS inspection policy map from
the default preset_dns_map, you must remove the DNS
inspection with the no inspect dns command, and then
re-add it with the new DNS inspection policy map name.
policy) to use a different DNS inspection policy map from
the default preset_dns_map, you must remove the DNS
inspection with the no inspect dns command, and then
re-add it with the new DNS inspection policy map name.
Step 6
service-policy
policymap_name {global |
interface
interface_name}
Example:
ciscoasa(config)# service-policy
global_policy global
Activates the policy map on one or more interfaces. global applies
the policy map to all interfaces, and interface applies the policy
to one interface. Only one global policy is allowed. You can
override the global policy on an interface by applying a service
policy to that interface. You can only apply one policy map to
each interface.
the policy map to all interfaces, and interface applies the policy
to one interface. Only one global policy is allowed. You can
override the global policy on an interface by applying a service
policy to that interface. You can only apply one policy map to
each interface.
The default configuration includes a global policy called
global_policy. If you are editing that policy, you can skip this step.
global_policy. If you are editing that policy, you can skip this step.
Command
Purpose