I would recommend show run all policy-map to limit what you have to parse thru. But Kingsley is right on track.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, February 08, 2011 1:47 AM To: Pemasiri Devanarayana Cc: [email protected] Subject: Re: [OSL | CCIE_Security] DNS inspection on ASA match protocol-enforcement is enabled by default. Issue sh run all to see it. With regards Kings On Tue, Feb 8, 2011 at 12:16 PM, Kingsley Charles <[email protected]> wrote: You can either use a new L7 policy map or default DNS policy map. Which ever is first associated to the global policy will be in effect. With regards Kings On Tue, Feb 8, 2011 at 2:35 AM, Pemasiri Devanarayana <[email protected]> wrote: Hi, when I want to inspect on id randamization, massage format 1) should i create new L7 policy-map or use the default policy-map of preset_dns_map (policy-map type inspect dns preset_dns_map)..? 2) if I use different L7 Policy-map I have to remove the existing dns inspection which is also inspecting "message-length maximum 512" by default and it will also will remove, in that case should i add message lenth max. 512 in the new L7 policy-map..? 3) when I configure match protocol-enforcement, it does not show under running configuration. (show running-config policy-map), it's bug or its already in inspection by default..? policy-map type inspect dns PM7-DNS parameters id-randomization policy-map global_policy class inspection_default inspect ftp inspect h323 h225 inspect h323 ras inspect netbios Appreciate all expertises' correct solution. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
