Monitoring Dns Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
FTP Inspection
Examples
The following example shows a how to use a new inspection policy map in the global default
configuration:
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
inspect dns new_dns_map
service-policy global_policy global
Monitoring DNS Inspection
To view information about the current DNS connections, enter the following command:
hostname# show conn
For connections using a DNS server, the source port of the connection may be replaced by the IP address
of the DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, when you enter the
show conn command, you see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.
To display the statistics for DNS application inspection, enter the show service-policy command. The
following is sample output from the show service-policy command:
hostname# show service-policy
Interface outside:
Service-policy: sample_policy
FTP Inspection
The following sections describe the FTP inspection engine.
•
•
•
•
FTP Inspection Overview
The FTP application inspection inspects the FTP sessions and performs four tasks:
•
Cisco ASA Series Firewall CLI Configuration Guide
13-8
Class-map: dns_port
Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0
FTP Inspection Overview, page 13-8
Strict FTP, page 13-9
Configure FTP Inspection, page 13-10
Verifying and Monitoring FTP Inspection, page 13-14
Prepares dynamic secondary data connection
Chapter 13
Inspection of Basic Internet Protocols
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
