I'm trying to filter some FQDN on an ASA Firewall running 9.14 for specific AnyConnect groups. (I need to make jabber user go to expressway without using split DNS).
It works well when I apply the filter to the global policy, but when I try to restrict it to a single tunnel-group it fails.
regex CUPLOGIN "_cuplogin\._tcp\.example\.com"
regex CISCOUDS "_cisco-uds\._tcp\.example\.com"
class-map type regex match-any CM_Block_FQDN
match regex CUPLOGIN
match regex CISCOUDS
class-map type inspect dns match-all CM_Block_DNS_Queries
match header-flag QR
match question
match domain-name regex class CM_Block_FQDN
policy-map type inspect dns dns_map_vpn
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
class CM_Block_DNS_Queries
drop log
class-map CM_VPN
match tunnel-group myvpn
policy-map vpn_policy
class CM_VPN
inspect dns dns_map_vpn
the last command results in
ERROR: This action cannot be configured with 'match tunnel-group'
Using a police command (e.g. police output 52428750 4000000) instead of inspect works.
Is it possible to make this work?