Cisco Cisco ASA 5505 Adaptive Security Appliance 기술 매뉴얼

In policy−map class configuration mode, use the inspection policy map created in steps 1−3 in order
to specify that DNS should be inspected.

ciscoasa(config−pmap−c)#inspect dns MY_DNS_INSPECT_MAP

8. 

Exit out of policy−map class configuration mode and policy−map configuration mode.

ciscoasa(config−pmap−c)#exit

ciscoasa(config−pmap)#exit

9. 

Verify that the global_policy policy−map is configured as desired.

ciscoasa(config)#show run policy−map

!

policy−map type inspect dns MY_DNS_INSPECT_MAP

 parameters

  message−length maximum 512

policy−map global_policy

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

10. 

Verify that the global_policy is applied globally by a service−policy.

ciscoasa(config)#show run service−policy

service−policy global_policy global

11. 

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT
to view an analysis of show command output.

One method to verify that the security appliance rewrites DNS records correctly is to capture the packets in
question, as discussed in the previous example. Complete these steps in order to capture traffic on the ASA:

Create an access list for each capture instance you want to create.The ACL should specify the traffic
that you want to capture. In this example, two ACLs have been created.

The ACL for traffic on the outside interface:

access−list DNSOUTCAP extended permit ip host 172.22.1.161 host

 172.20.1.2

♦ 

1.