Cisco PIX 500 Series Configuration Manual page 487
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
Specify the action you want to perform on the matching traffic by entering the following command:
b.
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate }
Not all options are available for each match or class command. See the CLI help or the Cisco
Security Appliance Command Reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server
and/or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log
message.
The rate-limit message_rate argument limits the rate of messages.
You can specify multiple class or match commands in the policy map. For information about the order
of class and match commands, see the
page
21-11.
To configure parameters that affect the inspection engine, perform the following steps:
Step 7
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
To randomize the DNS identifier for a DNS query, enter the following command:
b.
hostname(config-pmap-p)# id-randomization
To enable logging for excessive DNS ID mismatches, enter the following command:
c.
hostname(config-pmap-p)# id-mismatch [count number duration seconds ] action log
Where the count string argument specifies the maximum number of mismatch instances before a
system message log is sent. The duration seconds specifies the period, in seconds, to monitor.
To require a TSIG resource record to be present, enter the following command:
d.
hostname(config-pmap-p)# tsig enforced action {drop [log] | [log}
Where the count string argument specifies the maximum number of mismatch instances before a
system message log is sent. The duration seconds specifies the period, in seconds, to monitor.
The following example shows a how to define a DNS inspection policy map.
hostname(config)# regex domain_example "example\.com"
hostname(config)# regex domain_foo "foo\.com"
hostname(config)# ! define the domain names that the server serves
hostname(config)# class-map type inspect regex match-any my_domains
hostname(config-cmap)# match regex domain_example
hostname(config-cmap)# match regex domain_foo
hostname(config)# ! Define a DNS map for query only
hostname(config)# class-map type inspect dns match-all pub_server_map
OL-12172-03
"Defining Actions in an Inspection Policy Map" section on
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
25-23
Advertisement
Table of Contents
Troubleshooting
