11-9
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 11 Configuring Inspection of Basic Internet Protocols
DNS Inspection
• Enforce TSIG: Requires a TSIG resource record to be present.
–
Do not enforce
–
Drop packet
–
Log
–
Drop packet and log
Not all combinations are valid for all matching criteria. For example, you can configure both Mask and
Enforce TSIG together only for the Criterion: Header Flag option.
Step 4 For Multiple matches, if you predefined a class map on the Configuration > Firewall > Objects > Class
Maps > DNS pane, you can select it from the drop-down list, set the Actions, and click OK.
To add a new class map:
a. Click Manage.
The Manage DNS Class Maps dialog box appears
b. Click Add.
The Add DNS Traffic Class Map dialog box appears.
c. Click Add.
The Add DNS Match Criterion dialog box appears.
The match criteria are the same for a class map or for single matches; the following steps apply to
both methods. The only difference is that you do not set an Action for each criterion in a class map.