Cisco ASA Series Cli Configuration Manual page 1115
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring Inspection of Basic Internet Protocols
Command
Step 3
policy-map name
Example:
hostname(config)# policy-map global_policy
Step 4
class name
Example:
hostname(config-pmap)# class
inspection_default
Step 5
inspect dns [dns_policy_map]
[dynamic-filter-snoop]
Example:
hostname(config-class)# no inspect dns
hostname(config-class)# inspect dns
dns-map
Step 6
service-policy policymap_name {global |
interface interface_name}
Example:
hostname(config)# service-policy
global_policy global
Examples
The following example shows a how to use a new inspection policy map in the global default
configuration:
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map
inspect dns new_dns_map
service-policy global_policy global
Monitoring DNS Inspection
To view information about the current DNS connections, enter the following command:
hostname# show conn
Purpose
Adds or edits a policy map that sets the actions to take with the
class map traffic.
In the default configuration, the global_policy policy map is
assigned globally to all interfaces. If you want to edit the
global_policy, enter global_policy as the policy name.
Identifies the class map created in
To edit the default policy, or to use the special inspection_default
class map in a new policy, specify inspection_default for the
name.
Configures DNS inspection. Specify the inspection policy map
you created in the
"(Optional) Configuring a DNS Inspection
Policy Map and Class Map" section on page
For information about the Botnet Traffic Filter
dynamic-filter-snoop keyword, see the
Snooping" section on page
Note
If you are editing the default global policy (or any in-use
policy) to use a different DNS inspection policy map from
the default preset_dns_map, you must remove the DNS
inspection with the no inspect dns command, and then
re-add it with the new DNS inspection policy map name.
Activates the policy map on one or more interfaces. global applies
the policy map to all interfaces, and interface applies the policy
to one interface. Only one global policy is allowed. You can
override the global policy on an interface by applying a service
policy to that interface. You can only apply one policy map to
each interface.
The default configuration includes a global policy called
global_policy. If you are editing that policy, you can skip this step.
Cisco ASA Series CLI Configuration Guide
DNS Inspection
Step
1.
1-3.
"Enabling DNS
26-11.
1-9
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
