Cisco Systems ASA 5580, ASA 5505 manual Guidelines and Limitations, Default Inspection Policy Maps

Chapter 2 Configuring Special Actions for Application Inspections (Inspection Policy Map)

Guidelines and Limitations

policy map is that you can create more complex match criteria and you can reuse class maps. However, you cannot set different actions for different matches. Note: Not all inspections support inspection class maps.

•Parameters—Parameters affect the behavior of the inspection engine.

Guidelines and Limitations

•HTTP inspection policy maps—If you modify an in-use HTTP inspection policy map, you must remove and reapply the inspection policy map action for the changes to take effect. For example, if you modify the “http-map” inspection policy map, you must remove, apply changes, and readd the inspection policy map to the service policy.

•All inspection policy maps—If you want to exchange an in-use inspection policy map for a different map name, you must remove, apply changes, and readd the new inspection policy map to the service policy.

•You can specify multiple inspection class maps or direct matches in the inspection policy map.

If a packet matches multiple different matches, then the order in which the ASA applies the actions is determined by internal ASA rules, and not by the order they are added to the inspection policy map. The internal rules are determined by the application type and the logical progression of parsing a packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method field precedes parsing the Header Host Length field; an action for the Request Method field occurs before the action for the Header Host Length field.

If an action drops a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to reset the connection, then it will never match any further match criteria. If the first action is to log the packet, then a second action, such as resetting the connection, can occur.

If a packet matches multiple match criteria that are the same, then they are matched in the order they appear in the policy map.

A class map is determined to be the same type as another class map or direct match based on the lowest priority match option in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match option as another class map, then the class maps are matched according to the order they are added to the policy map. If the lowest priority match for each class map is different, then the class map with the higher priority match option is matched first.

Default Inspection Policy Maps

DNS inspection is enabled by default, using the preset_dns_map inspection class map:

•The maximum DNS message length is 512 bytes.

•The maximum client DNS message length is automatically set to match the Resource Record.

•DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

•Translation of the DNS record based on the NAT configuration is enabled.

•Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.

Cisco ASA Series Firewall ASDM Configuration Guide

2-2