Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
11-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 2Click Add. The Add DNS Inspect dialog box appears.
11-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 3You can configure DNS inspections using the following methods: Single Match—Match a single criterion, and identify the action for the match. Multiple matches—Match multiple criteria by creating an inspection class map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps. If you want different actions for each criteria, use the single match option; you can only set one action for the entire class map. You can add multiple class maps and single matches in the same policy map. Actions for each Single Match, or for a Multiple match class map include: Primary Action: –Mask –Drop Packet –Drop Connection –None Log: –Enable –Disable
11-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Enforce TSIG: Requires a TSIG resource record to be present. –Do not enforce –Drop packet –Log –Drop packet and log Not all combinations are valid for all matching criteria. For example, you can configure both Mask and Enforce TSIG together only for the Criterion: Header Flag option. Step 4For Multiple matches, if you predefined a class map on the Configuration > Firewall > Objects > Class Maps > DNS pane, you can select it from the drop-down list, set the Actions, and click OK. To add a new class map: a.Click Manage. The Manage DNS Class Maps dialog box appears b.Click Add. The Add DNS Traffic Class Map dialog box appears. c.Click Add. The Add DNS Match Criterion dialog box appears. The match criteria are the same for a class map or for single matches; the following steps apply to both methods. The only difference is that you do not set an Action for each criterion in a class map.
11-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Step 5From the Criterion drop-down list, choose one of the following criteria: Header Flag: Set the following Value parameters: –Match Option: Equals or Contains. If you choose Header Flag Name, and check multiple flags, you can set the ASA to match a packet only if all flags are present (Equals) or if any one of the flags is present (Contains). –Match Value: Header Flag Name or Header Flag Value. If you click Header Flag Name, you can check one or more well-known flag values. If you want to specify a hex value, click the Header Flag Value radio button, and enter the hex value in the field. Ty p e:
11-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –DNS Type Field Name—Lists the DNS types to select. A—IPv4 address AXFR—Full (zone) transfer CNAME—Canonical name IXFR—Incremental (zone) transfer NS—Authoritative name server SOA—Start of a zone of authority TSIG—Transaction signature –DNS Type Field Value: Va l u e—Lets you enter a value between 0 and 65535 to match. Range—Lets you enter a range match. Both values between 0 and 65535. Class:
11-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –DNS Class Field Name: Internet—Internet is the only option. –DNS Class Field Value: Va l u e—Lets you enter a value between 0 and 65535. Range—Lets you enter a range match. Both values between 0 and 65535. Question: Matches a DNS question.
11-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Resource Record:
11-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –Resource Record: additional—DNS additional resource record answer—DNS answer resource record authority—DNS authority resource record Domain Name:
11-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection Set the following Value parameters: –Regular Expression—Choose an existing regular expression from the drop-down menu, or click Manage to add a new one. See the “Creating a Regular Expression” section on page 20-20 in the general operations configuration guide. –Regular Expression Class—Choose an existing regular expression class map from the drop-down menu, or click Manage to add a new one. See the “Creating a Regular Expression Class Map” section on page 20-24 in the general operations configuration guide. Step 6For a class map: a.Click OK to add the match to the map. b.Add more matches as desired. c.Click OK to finish the class map. d.Click OK to return to the Add DNS Inspect Map dialog box. Step 7Set the action for the Single Match, or for the Multiple matches class map; see Step 3 for actions. Step 8Click OK to return to the Add DNS Inspect dialog box. Step 9In some cases when you have more than one match in the inspection policy map, you can order the matches using the Move Up and Move Down buttons. Generally, the order is determined by internal ASA rules, so these buttons are not available for most entries. However, if you have a direct match and a class map that have the same match, then the order in the configuration determines which match is used, so
11-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols DNS Inspection these buttons are enabled. See the “Guidelines and Limitations” section on page 2-2 for more information. Step 10Click OK to save the DNS inspect map. Step 11Click Apply. Configuring DNS Inspection The default ASA configuration includes many default inspections on default ports applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. The steps in this section show how to edit the default global policy, but you can alternatively create a new service policy as desired, for example, an interface-specific policy. Detailed Steps Step 1Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to Chapter 1, “Configuring a Service Policy.” You can configure DNS inspection as part of a new service policy rule, or you can edit an existing service policy. Step 2On the Rule Actions dialog box, click the Protocol Inspections tab. Step 3(To change an in-use policy) If you are editing any in-use policy to use a different DNS inspection policy map, you must disable the DNS inspection, and then re-enable it with the new DNS inspection policy map name: a.Uncheck the DNS check box. b.Click OK. c.Click Apply. d.Repeat these steps to return to the Protocol Inspections tab. Step 4Check the DNS check box. Step 5Click Configure. The Select DNS Inspect Map dialog appears. Step 6Choose the inspection map: To use the default map, click Use the default DNS inspection map (preset_dns_map). To use a DNS inspection policy map that you configured in the “(Optional) Configuring a DNS Inspection Policy Map and Class Map” section on page 11-3, select the map name. To add a new map, click Add. See the “(Optional) Configuring a DNS Inspection Policy Map and Class Map” section on page 11-3 for more information. Step 7If you use the Botnet Traffic Filter, click Enable Botnet traffic filter DNS snooping. Botnet Traffic Filter snooping compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address. We suggest that you enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary