Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2493
Views
0
Helpful
2
Replies

dns inspect on ASA

Go to solution
samuel.olach
Level 1
Level 1

ā€Ž10-11-2012 07:40 AM - edited ā€Ž03-11-2019 05:07 PM

Hi

I need to remove one host from dns inspection on ASA fw. Currently there is global policy with default inspection :

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

   message-length maximum 512

policy-map global_policy

class inspection_default

   inspect dns preset_dns_map

So I created new ACL and  match it to new class-map which I included into global policy  :

access-list acl_dns_inspect deny ip host x.x.x.x any

access-list acl_dns_inspect permit ip any any

class-map class_dns_inspect

match access-list acl_dns_inspect

policy-map global_policy

class inspection_default

   inspect ftp

   ...

class class_dns_inspect

   inspect dns preset_dns_map

Soon after that I realized this was not so good idea when I was not able to reach anything . Probably if I'm not mistaken I have matched all ip traffic and send it for dns inspection which had dropped it all.

I assuming that it should be only tcp/udp port 53. So will the ACL bellow do the same thing as would match default-inspection-traffic do ( without the denied IP af course ) ?

access-list acl_dns_inspect deny tcp host x.x.x.x any eq 53

access-list acl_dns_inspect deny udp host x.x.x.x any eq 53

access-list acl_dns_inspect permit tcp ip any any eq 53

access-list acl_dns_inspect permit tcp any any eq 53

Many thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

ā€Ž10-12-2012 12:02 AM

Hello Samuel,

You can do the following . .I am taking the host you do not want to do inspection as 192.168.1.20 in this  example

access-list dns line 1 extended deny udp host 192.168.1.20 any eq domain

access-list dns line 2 extended permit udp any any eq domain

class-map dns

match access-list dns

policy-map global_policy

class inspection_default

no inspect dns preset_dns_map

class dns

inspect dns

Verify your configuration in ' sho service-policy inspect dns' where you should not get hit when you are trying from 192.168.1.20

regards

Harish

Please rate if it was helpful!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Harish Balakrishnan
Spotlight
Spotlight

ā€Ž10-12-2012 12:02 AM

Hello Samuel,

You can do the following . .I am taking the host you do not want to do inspection as 192.168.1.20 in this  example

access-list dns line 1 extended deny udp host 192.168.1.20 any eq domain

access-list dns line 2 extended permit udp any any eq domain

class-map dns

match access-list dns

policy-map global_policy

class inspection_default

no inspect dns preset_dns_map

class dns

inspect dns

Verify your configuration in ' sho service-policy inspect dns' where you should not get hit when you are trying from 192.168.1.20

regards

Harish

Please rate if it was helpful!

0 Helpful

Go to solution
samuel.olach
Level 1
Level 1
In response to Harish Balakrishnan

ā€Ž10-22-2012 02:05 AM

Hi

Yes, this worked perfectly.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card