https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015301#M402963 <P>Hi</P><P>I need to remove one host from dns inspection on ASA fw. Currently there is global policy with default inspection :</P><P></P><P><SPAN style="font-family: 'courier new', courier;">class-map inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> match default-inspection-traffic</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">policy-map type inspect dns preset_dns_map</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> parameters</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; message-length maximum 512</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">policy-map global_policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; inspect dns preset_dns_map </SPAN></P><P></P><P>So I created new ACL and&nbsp; match it to new class-map which I included into global policy&nbsp; :</P><P></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect deny ip host x.x.x.x any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect permit ip any any</SPAN></P><P></P><P><SPAN style="font-family: 'courier new', courier;">class-map class_dns_inspect</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> match access-list acl_dns_inspect</SPAN></P><P></P><P><SPAN style="font-family: 'courier new', courier;">policy-map global_policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; inspect ftp </SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; ...</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class class_dns_inspect</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; inspect dns preset_dns_map</SPAN></P><P></P><P>Soon after that I realized this was not so good idea when I was not able to reach anything <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN>. Probably if I'm not mistaken I have matched all ip traffic and send it for dns inspection which had dropped it all. </P><P>I assuming that it should be only tcp/udp port 53. So will the ACL bellow do the same thing as would match default-inspection-traffic do ( without the denied IP af course ) ?</P><P></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect deny tcp host x.x.x.x any eq 53</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect deny udp host x.x.x.x any eq 53</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect permit tcp ip any any eq 53</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect permit tcp any any eq 53</SPAN></P><P></P><P>Many thanks </P> Tue, 12 Mar 2019 00:07:51 GMT samuel.olach 2019-03-12T00:07:51Z https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015301#M402963 <P>Hi</P><P>I need to remove one host from dns inspection on ASA fw. Currently there is global policy with default inspection :</P><P></P><P><SPAN style="font-family: 'courier new', courier;">class-map inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> match default-inspection-traffic</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">policy-map type inspect dns preset_dns_map</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> parameters</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; message-length maximum 512</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">policy-map global_policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; inspect dns preset_dns_map </SPAN></P><P></P><P>So I created new ACL and&nbsp; match it to new class-map which I included into global policy&nbsp; :</P><P></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect deny ip host x.x.x.x any</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect permit ip any any</SPAN></P><P></P><P><SPAN style="font-family: 'courier new', courier;">class-map class_dns_inspect</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> match access-list acl_dns_inspect</SPAN></P><P></P><P><SPAN style="font-family: 'courier new', courier;">policy-map global_policy</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class inspection_default</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; inspect ftp </SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; ...</SPAN></P><P><SPAN style="font-family: 'courier new', courier;"> class class_dns_inspect</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp;&nbsp; inspect dns preset_dns_map</SPAN></P><P></P><P>Soon after that I realized this was not so good idea when I was not able to reach anything <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN>. Probably if I'm not mistaken I have matched all ip traffic and send it for dns inspection which had dropped it all. </P><P>I assuming that it should be only tcp/udp port 53. So will the ACL bellow do the same thing as would match default-inspection-traffic do ( without the denied IP af course ) ?</P><P></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect deny tcp host x.x.x.x any eq 53</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect deny udp host x.x.x.x any eq 53</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect permit tcp ip any any eq 53</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">access-list acl_dns_inspect permit tcp any any eq 53</SPAN></P><P></P><P>Many thanks </P> Tue, 12 Mar 2019 00:07:51 GMT https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015301#M402963 samuel.olach 2019-03-12T00:07:51Z https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015302#M402967 <HTML><HEAD></HEAD><BODY><P> Hello Samuel,</P><P></P><P>You can do the following . .I am taking the host you do not want to do inspection as 192.168.1.20 in this&nbsp; example</P><P></P><P></P><P>access-list dns line 1 extended deny udp host 192.168.1.20 any eq domain </P><P>access-list dns line 2 extended permit udp any any eq domain</P><P></P><P>class-map dns</P><P> match access-list dns</P><P></P><P>policy-map global_policy</P><P>class inspection_default</P><P>no inspect dns preset_dns_map </P><P>class dns</P><P> inspect dns</P><P></P><P>Verify your configuration in ' sho service-policy inspect dns' where you should not get hit when you are trying from 192.168.1.20</P><P></P><P>regards</P><P>Harish</P><P>Please rate if it was helpful!</P></BODY></HTML> Fri, 12 Oct 2012 07:02:18 GMT https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015302#M402967 Harish Balakrishnan 2012-10-12T07:02:18Z https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015303#M402972 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>Yes, this worked perfectly.</P><P>Thanks</P></BODY></HTML> Mon, 22 Oct 2012 09:05:18 GMT https://community.cisco.com/t5/network-security/dns-inspect-on-asa/m-p/2015303#M402972 samuel.olach 2012-10-22T09:05:18Z