You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella. However you would also like to exclude certain IP addresses or subnets from using this policy. I recently had the need to do this, had a bit of trouble with the configuration, and could not find a good example. So I will document this for the community here.
Although the ASA Umbrella Connector will report the client IP addresses and those shows in the Umbrella dashboard activity report, you cannot make policy decisions on the individual client address (as of this date). You can only enforce policy on the network device. This means all traffic through the ASA Connector can match only one Umbrella policy. Therefore to exclude any subnets or individual IP addresses you must do this on the ASA so that client DNS traffic is not identified by the ASA Connector.
This opens up other Umbrella policy matching possibilities as well. Because this traffic is excluded from the ASA Connector, you could match it using a WLC Connector or match it using the ASA public IP Address. Note that if you try to use the WLC Connector behind the ASA, the ASA Connector will override it so you must use the below method to exclude those wireless subnets from the ASA Connector.
To filter by subnet or IP address, you must create a custom policy class and match ACL in the ASA, disable the default global DNS inspection, and place that inspection in the new policy. I found that if you do not filter matches by protocol in the match ACL, this will completely break the inspection engine and no DNS traffic will pass.
Solution
Here is an example of my working configuration, where I deny filtering from source subnet 192.168.32.0/24 and then permit all other DNS traffic on port 53 to the DNS inspection engine.
Cisco Adaptive Security Appliance Software Version 9.14(1)
access-list EXCLUDE-UMBRELLA-NETS remark Bypass List for Umbrella URL Filtering
access-list EXCLUDE-UMBRELLA-NETS extended deny ip 192.168.32.0 255.255.255.0 any
access-list EXCLUDE-UMBRELLA-NETS extended permit udp any any eq domain
class-map MATCH-UMBRELLA-DNS
description Match list for Umbrella DNS Filtering
match access-list EXCLUDE-UMBRELLA-NETS
!
umbrella-global
token C1C0EE42E3F616734BE9DDB942ABC645231EF08C
!
policy-map type inspect dns UMBRELLA-DNS
parameters
message-length maximum client auto
message-length maximum 512
umbrella tag ASA5506 Policy device-id 010acb0eb2811600
!
policy-map global_policy
class MATCH-UMBRELLA-DNS
inspect dns UMBRELLA-DNS
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global_policy global