Cisco Cisco ASA 5505 Adaptive Security Appliance 기술 매뉴얼
In policy−map class configuration mode, use the inspection policy map created in steps 1−3 in order
to specify that DNS should be inspected.
to specify that DNS should be inspected.
ciscoasa(config−pmap−c)#inspect dns MY_DNS_INSPECT_MAP
8.
Exit out of policy−map class configuration mode and policy−map configuration mode.
ciscoasa(config−pmap−c)#exit
ciscoasa(config−pmap)#exit
9.
Verify that the global_policy policy−map is configured as desired.
ciscoasa(config)#show run policy−map
!
!−−− The configured DNS inspection policy map.
policy−map type inspect dns MY_DNS_INSPECT_MAP
parameters
message−length maximum 512
policy−map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns MY_DNS_INSPECT_MAP
!−−− DNS application inspection enabled.
10.
Verify that the global_policy is applied globally by a service−policy.
ciscoasa(config)#show run service−policy
service−policy global_policy global
11.
Verify
Use this section to confirm that your configuration works properly.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT
to view an analysis of show command output.
to view an analysis of show command output.
Capture DNS Traffic
One method to verify that the security appliance rewrites DNS records correctly is to capture the packets in
question, as discussed in the previous example. Complete these steps in order to capture traffic on the ASA:
question, as discussed in the previous example. Complete these steps in order to capture traffic on the ASA:
Create an access list for each capture instance you want to create.The ACL should specify the traffic
that you want to capture. In this example, two ACLs have been created.
that you want to capture. In this example, two ACLs have been created.
The ACL for traffic on the outside interface:
access−list DNSOUTCAP extended permit ip host 172.22.1.161 host
172.20.1.2
♦
1.