Cisco ASA 5506-X Configuration Manual page 151
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 7
Inspection of Basic Internet Protocols
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet. This action is available for header
flag matches only.
The log keyword, which you can use alone or with one of the other keywords, sends a system log
message.
The enforce-tsig {[drop] [log]} keyword enforces the presence of the TSIG resource record in a
message. You can drop a packet without the TSIG resource record, log it, or drop and log it. You can
use this option in conjunction with the mask action for header flag matches; otherwise, this action
is exclusive with the other actions.
You can specify multiple class or match commands in the policy map. For information about the order
of class and match commands, see
For example:
hostname(config)# policy-map type inspect dns dns-map
hostname(config-pmap)# class dns-class-map
hostname(config-pmap-c)# drop
hostname(config-pmap-c)# match header-flag eq aa
hostname(config-pmap-c)# drop log
To configure parameters that affect the inspection engine, perform the following steps:
Step 5
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
b.
disable the option:
•
•
•
•
•
•
•
For example:
hostname(config-pmap)# parameters
hostname(config-pmap-p)# dns-guard
hostname(config-pmap-p)# message-length maximum 1024
hostname(config-pmap-p)# nat-rewrite
hostname(config-pmap-p)# protocol-enforcement
dns-guard—Enables DNS Guard. The ASA tears down the DNS session associated with a DNS
query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message
exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
id-mismatch count number duration seconds action log—Enables logging for excessive DNS
ID mismatches, where the count number duration seconds arguments specify the maximum
number of mismatch instances per second before a system message log is sent.
id-randomization—Randomizes the DNS identifier for a DNS query.
message-length maximum {length | client {length | auto} | server {length | auto}}—Sets the
maximum DNS message length, from 512 to 65535 bytes. You can also set the maximum length
for client or server messages. The auto keyword sets the maximum length to the value in the
Resource Record.
nat-rewrite—Translates the DNS record based on the NAT configuration.
protocol-enforcement—Enables DNS message format check, including domain name length of
no more than 255 characters, label length of 63 characters, compression, and looped pointer
check.
tsig enforced action {[drop] [log]}—Requires a TSIG resource record to be present. You can
drop a non-conforming packet, log the packet, or both.
Defining Actions in an Inspection Policy Map, page
Cisco ASA Series Firewall CLI Configuration Guide
DNS Inspection
2-4.
7-5
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
