Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 281

    Page 281 11-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 2Click Add. The Add DNS Inspect dialog box appears. 
     
11-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Step 2Click Add.
The Add DNS Inspect dialog box appears.

    Page 282

    Page 282 11-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 3You can configure DNS inspections using the following methods: Single Match—Match a single criterion, and identify the action for the match. Multiple matches—Match multiple criteria by creating an inspection class map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets... 
     
11-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Step 3You can configure DNS inspections using the following methods:
Single Match—Match a single criterion, and identify the action for the match.
Multiple matches—Match multiple criteria by creating an inspection class map.
The difference between creating a class map and defining the traffic match directly in the inspection 
policy map is that the class map lets...

    Page 283

    Page 283 11-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Enforce TSIG: Requires a TSIG resource record to be present. –Do not enforce –Drop packet –Log –Drop packet and log Not all combinations are valid for all matching criteria. For example, you can configure both Mask and Enforce TSIG together only for the Criterion: Header Flag option. Step 4For Multiple matches, if you predefined a class map on the Configuration... 
     
11-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Enforce TSIG: Requires a TSIG resource record to be present.
–Do not enforce
–Drop packet
–Log
–Drop packet and log
Not all combinations are valid for all matching criteria. For example, you can configure both Mask and 
Enforce TSIG together only for the Criterion: Header Flag option.
Step 4For Multiple matches, if you predefined a class map on the Configuration...

    Page 284

    Page 284 11-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 5From the Criterion drop-down list, choose one of the following criteria: Header Flag: Set the following Value parameters: –Match Option: Equals or Contains. If you choose Header Flag Name, and check multiple flags, you can set the ASA to match a packet only if all flags are present (Equals) or if any one of the flags is present (Contains). –Match Value:... 
     
11-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Step 5From the Criterion drop-down list, choose one of the following criteria:
Header Flag:
Set the following Value parameters:
–Match Option: Equals or Contains. If you choose Header Flag Name, and check multiple flags, 
you can set the ASA to match a packet only if all flags are present (Equals) or if any one of the 
flags is present (Contains).
–Match Value:...

    Page 285

    Page 285 11-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –DNS Type Field Name—Lists the DNS types to select. A—IPv4 address AXFR—Full (zone) transfer CNAME—Canonical name IXFR—Incremental (zone) transfer NS—Authoritative name server SOA—Start of a zone of authority TSIG—Transaction signature –DNS Type Field Value: Va l u e—Lets you enter a value between 0 and 65535 to match.... 
     
11-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Set the following Value parameters:
–DNS Type Field Name—Lists the DNS types to select.
A—IPv4 address
AXFR—Full (zone) transfer
CNAME—Canonical name
IXFR—Incremental (zone) transfer
NS—Authoritative name server
SOA—Start of a zone of authority
TSIG—Transaction signature
–DNS Type Field Value:
Va l u e—Lets you enter a value between 0 and 65535 to match....

    Page 286

    Page 286 11-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –DNS Class Field Name: Internet—Internet is the only option. –DNS Class Field Value: Va l u e—Lets you enter a value between 0 and 65535. Range—Lets you enter a range match. Both values between 0 and 65535. Question: Matches a DNS question. 
     
11-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Set the following Value parameters:
–DNS Class Field Name: Internet—Internet is the only option.
–DNS Class Field Value:
Va l u e—Lets you enter a value between 0 and 65535.
Range—Lets you enter a range match. Both values between 0 and 65535.
Question: Matches a DNS question.

    Page 287

    Page 287 11-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Resource Record: 
     
11-13
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Resource Record:

    Page 288

    Page 288 11-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –Resource Record: additional—DNS additional resource record answer—DNS answer resource record authority—DNS authority resource record Domain Name: 
     
11-14
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Set the following Value parameters:
–Resource Record:
additional—DNS additional resource record
answer—DNS answer resource record
authority—DNS authority resource record
Domain Name:

    Page 289

    Page 289 11-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –Regular Expression—Choose an existing regular expression from the drop-down menu, or click Manage to add a new one. See the “Creating a Regular Expression” section on page 20-20 in the general operations configuration guide. –Regular Expression Class—Choose an existing regular expression class map from the drop-down menu,... 
     
11-15
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
Set the following Value parameters:
–Regular Expression—Choose an existing regular expression from the drop-down menu, or 
click Manage to add a new one. See the “Creating a Regular Expression” section on page 20-20 
in the general operations configuration guide.
–Regular Expression Class—Choose an existing regular expression class map from the 
drop-down menu,...

    Page 290

    Page 290 11-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection these buttons are enabled. See the “Guidelines and Limitations” section on page 2-2 for more information. Step 10Click OK to save the DNS inspect map. Step 11Click Apply. Configuring DNS Inspection The default ASA configuration includes many default inspections on default ports applied globally on all interfaces. A common method for customizing the inspection... 
     
11-16
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 11      Configuring Inspection of Basic Internet Protocols
  DNS Inspection
these buttons are enabled. See the “Guidelines and Limitations” section on page 2-2 for more 
information.
Step 10Click OK to save the DNS inspect map.
Step 11Click Apply.
Configuring DNS Inspection
The default ASA configuration includes many default inspections on default ports applied globally on 
all interfaces. A common method for customizing the inspection...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals