EasyManuals Logo

Cisco 5510 - ASA SSL / IPsec VPN Edition User Manual

Cisco 5510 - ASA SSL / IPsec VPN Edition
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1111 background imageLoading...
Page #1111 background image
1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Inspection of Basic Internet Protocols
DNS Inspection
Step 4
match [not] dns-class {eq {in | c_val}} |
range c_val1 c_val2}
For direct match only:
{drop [log] | drop-connection [log]|
enforce-tsig {[drop] [log]} | log}
Example:
hostname(config-pmap)# match dns-class eq
in
hostname(config-pmap-c)# log
Matches a DNS class, either in (for Internet) or c_val, an arbitrary
value from 0 to 65535 in the DNS class field. The range keyword
specifies a range, and the eq keyword specifies an exact match.
To specify traffic that should not match, use the match not
command.
If you are matching directly in the inspection policy map, specify
the action for the match:
• drop [log]—Drops the packet. log also logs the packet.
• drop-connection [log]—Drops the packet and closes the
connection. log also logs the packet.
• enforce-tsig {[drop] [log]}—Enforces the TSIG resource
record in a message. drop drops a packet without the TSIG
resource record. log also logs the packet.
• log—Logs the packet.
Step 5
match {question | resource-record {answer
| authority | additional}}
For direct match only:
{drop [log] | drop-connection [log]|
enforce-tsig {[drop] [log]} | log}
Example:
hostname(config-pmap)# match
resource-record answer
hostname(config-pmap-c)# drop-connection
Matches a DNS question or resource record, where the question
keyword specifies the question portion of a DNS message. The
resource-record keyword specifies the resource record portion of
a DNS message; the answer keyword specifies the Answer RR
section; the authority keyword specifies the Authority RR
section; the additional keyword specifies the Additional RR
section.
To specify traffic that should not match, use the match not
command.
If you are matching directly in the inspection policy map, specify
the action for the match:
• drop [log]—Drops the packet. log also logs the packet.
• drop-connection [log]—Drops the packet and closes the
connection. log also logs the packet.
• enforce-tsig {[drop] [log]}—Enforces the TSIG resource
record in a message. drop drops a packet without the TSIG
resource record. log also logs the packet.
• log—Logs the packet.
Command Purpose

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Preview: Configuration Guide
Configuration Guide1822 pages
Preview: Hardware Installation Guide
Hardware Installation Guide82 pages
Preview: Getting Started Guide
Getting Started Guide208 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals