Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
0
Replies

Anyconnect: Filter DNS Replies with policy framework

ANDREAS LIEBE
Level 1
Level 1

‎08-13-2021 05:59 AM

I'm trying to filter some FQDN on an ASA Firewall running 9.14 for specific AnyConnect groups. (I need to make jabber user go to expressway without using split DNS).

It works well when I apply the filter to the global policy, but when I try to restrict it to a single tunnel-group it fails.

 

regex CUPLOGIN "_cuplogin\._tcp\.example\.com"
regex CISCOUDS "_cisco-uds\._tcp\.example\.com"

class-map type regex match-any CM_Block_FQDN
match regex CUPLOGIN
match regex CISCOUDS

class-map type inspect dns match-all CM_Block_DNS_Queries
match header-flag QR 
match question 
match domain-name regex class CM_Block_FQDN

policy-map type inspect dns dns_map_vpn
parameters 
message-length maximum client auto
message-length maximum 512
no tcp-inspection
class CM_Block_DNS_Queries
drop log

class-map CM_VPN
match tunnel-group myvpn

policy-map vpn_policy
class CM_VPN
inspect dns dns_map_vpn

the last command results in

 ERROR: This action cannot be configured with 'match tunnel-group'

 

Using a police command (e.g. police output 52428750 4000000) instead of inspect works.

 

Is it possible to make this work?

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents