10-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
DNS Inspection
Step 4
match [not] dns-class {eq {in | c_val}} |
range c_val1 c_val2}
For direct match only:
{drop [log] | drop-connection [log]|
enforce-tsig {[drop] [log]} | log}
Example:
ciscoasa(config-pmap)# match dns-class eq
in
ciscoasa(config-pmap-c)# log
Matches a DNS class, either in (for Internet) or c_val, an arbitrary
value from 0 to 65535 in the DNS class field. The range keyword
specifies a range, and the eq keyword specifies an exact match.
To specify traffic that should not match, use the match not
command.
If you are matching directly in the inspection policy map, specify
the action for the match:
• drop [log]—Drops the packet. log also logs the packet.
• drop-connection [log]—Drops the packet and closes the
connection. log also logs the packet.
• enforce-tsig {[drop] [log]}—Enforces the TSIG resource
record in a message. drop drops a packet without the TSIG
resource record. log also logs the packet.
• log—Logs the packet.
Step 5
match {question | resource-record {answer
| authority | additional}}
For direct match only:
{drop [log] | drop-connection [log]|
enforce-tsig {[drop] [log]} | log}
Example:
ciscoasa(config-pmap)# match
resource-record answer
ciscoasa(config-pmap-c)# drop-connection
Matches a DNS question or resource record, where the question
keyword specifies the question portion of a DNS message. The
resource-record keyword specifies the resource record portion of
a DNS message; the answer keyword specifies the Answer RR
section; the authority keyword specifies the Authority RR
section; the additional keyword specifies the Additional RR
section.
To specify traffic that should not match, use the match not
command.
If you are matching directly in the inspection policy map, specify
the action for the match:
• drop [log]—Drops the packet. log also logs the packet.
• drop-connection [log]—Drops the packet and closes the
connection. log also logs the packet.
• enforce-tsig {[drop] [log]}—Enforces the TSIG resource
record in a message. drop drops a packet without the TSIG
resource record. log also logs the packet.
• log—Logs the packet.
Command Purpose