Here is what Kingsley might be referencing to: policy-map type inspect dns preset_dns_map parameters message-length maximum 512 no message-length maximum server no message-length maximum client dns-guard protocol-enforcement *nat-rewrite* no id-randomization no id-mismatch no tsig enforced
On Sat, Feb 26, 2011 at 7:01 AM, Kingsley Charles < [email protected]> wrote: > Yes it is required. > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632 > > When DNS inspection is enabled, which is the default, the security > appliance performs the following additional tasks: > > •Translates the DNS record based on the configuration completed using the > *alias*, *static* and *nat* commands (DNS Rewrite). Translation only > applies to the A-record in the DNS reply; therefore, DNS Rewrite does not > affect reverse lookups, which request the PTR record > > > > With regards > Kings > > On Sat, Feb 26, 2011 at 2:05 AM, Pemasiri Devanarayana <[email protected] > > wrote: > >> Hi, >> >> When we configure DNS doctoring in the ASA, do we still need to inspect >> DNS as follows: >> >> policy-map global_insp >> classs isnpection_default >> inspect dns >> >> thanks >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
