EasyManuals Logo
Home>Cisco>Network Hardware>ASA Series

Cisco ASA Series User Manual

Cisco ASA Series
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1109 background imageLoading...
Page #1109 background image
1-3
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Inspection of Basic Internet Protocols
DNS Inspection
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
! ...
service-policy global_policy global
(Optional) Configuring a DNS Inspection Policy Map and Class Map
To match DNS packets with certain characteristics and perform special actions, create a DNS inspection
policy map. You can also configure a DNS inspection class map to group multiple match criteria for
reference within the inspection policy map. You can then apply the inspection policy map when you
enable DNS inspection.
Prerequisites
If you want to match a DNS message domain name list, then create a regular expression using one of the
methods below:
“Creating a Regular Expression” section on page 1-14.
“Creating a Regular Expression Class Map” section on page 1-17.
Detailed Steps
Command Purpose
Step 1
Do one of the following:
class-map type inspect dns [match-all |
match-any] class_map_name
Example:
hostname(config)# class-map type inspect
dns match-all dns-class-map
Creates a DNS inspection class map, where class_map_name is
the name of the class map. The match-all keyword is the default,
and specifies that traffic must match all criteria to match the class
map. The match-any keyword specifies that the traffic matches
the class map if it matches at least one of the criteria.
A class map groups multiple traffic matches. You can
alternatively identify match commands directly in the policy
map. The difference between creating a class map and defining
the traffic match directly in the inspection policy map is that the
class map lets you create more complex match criteria, and you
can reuse class maps.
The CLI enters class-map configuration mode, where you can
enter one or more match or match not commands.
For the traffic that you identify in this class map, you can only
specify actions (such as drop) for the entire class. If you want to
perform different actions for each match command, you should
identify the traffic directly in the policy map.

Table of Contents

Other manuals for Cisco ASA Series

Preview: Configuration Guide
Configuration Guide428 pages
Preview: Mount And Connect
Mount And Connect12 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
BrandCisco
ModelASA Series
CategoryNetwork Hardware
LanguageEnglish

Related product manuals