Filter
Top Products
24-64
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
Inspect Map Field Descriptions
–
High
Pinhole timeout: 00:01:00
Endpoint mapper service: enforced
Endpoint mapper service lookup: disabled
–
Default Level—Sets the security level back to the default level of Medium.
• Details—Shows the Parameters to configure additional settings.
–
Pinhole Timeout—Sets the pinhole timeout. Since a client may use the server information
returned by the endpoint mapper for multiple connections, the timeout value is configurable
based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2
minutes.
–
Enforce endpoint-mapper service—Enforces endpoint mapper service during binding.
–
Enable endpoint-mapper service lookup—Enables the lookup operation of the endpoint mapper
service. If disabled, the pinhole timeout is used.
Enforce Service Lookup Timeout—Enforces the service lookup timeout specified.
Service Lookup Timeout—Sets the timeout for pinholes from lookup operation.
Modes
The following table shows the modes in which this feature is available:
DNS Inspect Map
The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets
you change the default configuration values used for DNS application inspection.
DNS application inspection supports DNS message controls that provide protection against DNS
spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped,
and/or logged, while others are blocked. Zone transfer can be restricted between servers with this
function, for example.
The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a
public server from attack if that server only supports a particular internal zone. In addition, DNS
randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support
randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can
be queried also restricts the domain names which can be queried, which protects the public server
further.
A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching
DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable
check to enforce a Transaction Signature be attached to all DNS messages is also supported.
Fields
• DNS Inspect Maps—Table that lists the defined DNS inspect maps.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• • • •—