2-2
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter2 Configuring Special Actions for Application In spections (Inspection Policy Map)
Guidelines and Limitations
policy map is that you can create more complex match criteria and you can reuse class maps.
However, you cannot set different actions for different matches. Note: Not all inspections support
inspection class maps.
Parameters—Parameters affect the behavior of the inspection engine.
Guidelines and Limitations
HTTP inspection policy maps—If you modify an in-use HTTP inspection policy map, you must
remove and reapply the inspection policy map action for the changes to take effect. For example, if
you modify the “http-map” inspection policy map, you must remove, apply changes, and readd the
inspection policy map to the service policy.
All inspection policy maps—If you want to exchange an in-use inspection policy map for a different
map name, you must remove, apply changes, and readd the new inspection policy map to the service
policy.
You can specify multiple inspection class maps or direct matches in the inspection policy map.
If a packet matches multiple different matches, then the order in which the ASA applies the actions
is determined by internal ASA rules, and not by the order they are added to the inspection policy
map. The internal rules are determined by the application type and the logical progression of parsing
a packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method
field precedes parsing the Header Host Length field; an action for the Request Method field occurs
before the action for the Header Host Length field.
If an action drops a packet, then no further actions are performed in the inspection policy map. For
example, if the first action is to reset the connection, then it will never match any further match
criteria. If the first action is to log the packet, then a second action, such as resetting the connection,
can occur.
If a packet matches multiple match criteria that are the same, then they are matched in the order they
appear in the policy map.
A class map is determined to be the same type as another class map or direct match based on the
lowest priority match option in the class map (the priority is based on the internal rules). If a class
map has the same type of lowest priority match option as another class map, then the class maps are
matched according to the order they are added to the policy map. If the lowest priority match for
each class map is different, then the class map with the higher priority match option is matched first.
Default Inspection Policy Maps
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
The maximum DNS message length is 512 bytes.
The maximum client DNS message length is automatically set to match the Resource Record.
DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as
soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to
ensure that the ID of the DNS reply matches the ID of the DNS query.
Translation of the DNS record based on the NAT configuration is enabled.
Protocol enforcement is enabled, which enables DNS message format check, including domain
name length of no more than 255 characters, label length of 63 characters, compression, and looped
pointer check.