Cisco PIX 500 Series Configuration Manual page 486
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
DNS Inspection
c.
(Optional) To match a specific flag that is set in the DNS header, enter the following command:
hostname(config-cmap)# match [not] header-flag [eq] { f_well_known | f_value }
Where the f_well_known argument is the DNS flag bit. The f_value argument is the 16-bit value in
hex. The eq keyword specifies an exact match.
d.
(Optional) To match a DNS type, including Query type and RR type, enter the following command:
hostname(config-cmap)# match [not] dns-type {eq t_well_known | t_val } {range t_val1
t_val2 }
Where the t_well_known argument is the DNS flag bit. The t_val arguments are arbitrary values in
the DNS type field (0-65535). The range keyword specifies a range and the eq keyword specifies
an exact match.
(Optional) To match a DNS class, enter the following command:
e.
hostname(config-cmap)# match [not] dns-class {eq c_well_known | c_val } {range c_val1
c_val2 }
Where the c_well_known argument is the DNS class. The c_val arguments are arbitrary values in
the DNS class field. The range keyword specifies a range and the eq keyword specifies an exact
match.
(Optional) To match a DNS question or resource record, enter the following command:
f.
hostname(config-cmap)# match {question | {resource-record answer | authority | any}}
Where the question keyword specifies the question portion of a DNS message. The
resource-record keyword specifies the resource record portion of a DNS message. The answer
keyword specifies the Answer RR section. The authority keyword specifies the Authority RR
section. The additional keyword specifies the Additional RR section.
g.
(Optional) To match a DNS message domain name list, enter the following command:
hostname(config-cmap)# match [not] domain-name {regex regex_id | regex class class_id ]
The regex regex_name argument is the regular expression you created in
regex_class_name is the regular expression class map you created in
Create a DNS inspection policy map, enter the following command:
Step 4
hostname(config)# policy-map type inspect dns policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 5
(Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)# description string
To apply actions to matching traffic, perform the following steps.
Step 6
Specify the traffic on which you want to perform actions using one of the following methods:
a.
Cisco Security Appliance Command Line Configuration Guide
25-22
Specify the DNS class map that you created in
•
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
Specify traffic directly in the policy map using one of the match commands described in
•
If you use a match not command, then any traffic that does not match the criterion in the match
not command has the action applied.
Chapter 25
Configuring Application Layer Protocol Inspection
Step
Step 3
by entering the following command:
Step
1. The class
2.
Step
3.
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
