Name: Cisco ASA 5506-X
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

13-2

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 13 Inspection of Basic Internet Protocols

DNS Inspection

DNS Inspection Actions

DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks:

• Translate the DNS record based on the NAT configuration. For more information, see DNS and NAT,

page 10-21.

• Enforce message length, domain-name length, and label length.

• Verify the integrity of the domain-name referred to by the pointer if compression pointers are

encountered in the DNS message.

• Check to see if a compression pointer loop exists.

• Inspect packets based on the DNS header, type, class and more.

Defaults for DNS Inspection

DNS inspection is enabled by default, using the preset_dns_map inspection class map:

• The maximum DNS message length is 512 bytes.

• The maximum client DNS message length is automatically set to match the Resource Record.

• DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as

soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to

ensure that the ID of the DNS reply matches the ID of the DNS query.

• Translation of the DNS record based on the NAT configuration is enabled.

• Protocol enforcement is enabled, which enables DNS message format check, including domain

name length of no more than 255 characters, label length of 63 characters, compression, and looped

pointer check.

See the following default DNS inspection commands:

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

dns-guard

protocol-enforcement

nat-rewrite

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

! ...

service-policy global_policy global

Configure DNS Inspection

DNS inspection is enabled by default. You need to configure it only if you want non-default processing.

If you want to customize DNS inspection, use the following process.

Other manuals for Cisco ASA 5506-X

Quick Start Guide14 pages

Easy Setup Guide11 pages

Installation Guide46 pages

Software Guide37 pages

Hardware Installation Guide52 pages

Mount And Connect12 pages

Mount The Chassis10 pages

Questions and Answers:

Need help?

Do you have a question about the Cisco ASA 5506-X and is the answer not in the manual?

Cisco ASA 5506-X Specifications

General

Model	ASA 5506-X
Firewall Throughput	750 Mbps
Maximum Firewall Connections	50, 000
Maximum VPN Peers	50
Integrated Ports	8 x 1 GE
Stateful Inspection Throughput	750 Mbps
Weight	4.4 lb (2 kg)
Firewall Throughput (Multiprotocol)	750 Mbps
Firewall Throughput (Application Visibility and Control AVC)	250 Mbps
Concurrent Sessions	50, 000
New Connections per Second	10, 000
IPsec VPN Throughput	100 Mbps
Interfaces	8 x 1 GE
Memory	4 GB
Flash Memory	8 GB
Form Factor	Desktop
VPN Throughput	100 Mbps
Maximum Concurrent Sessions	50, 000
New Sessions per Second	10, 000
Operating Temperature	32 to 104°F (0 to 40°C)
Storage Temperature	-13 to 158°F (-25 to 70°C)
Power Supply	External
Humidity	10% to 90% non-condensing