Bruno is correct. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1753286 Defaults
NAT rewrite is enabled by default. This feature can be enabled when *inspect dns* is configured even if a *policy-map type inspect dns* is not defined. To disable, *no nat-rewrite* must explicitly be stated in the policy map configuration. If *inspect dns* is not configured, NAT rewrite is not performed. On Sat, Feb 26, 2011 at 5:03 PM, Bruno <[email protected]> wrote: > Here is what Kingsley might be referencing to: > > policy-map type inspect dns preset_dns_map > > parameters > message-length maximum 512 > no message-length maximum server > no message-length maximum client > dns-guard > protocol-enforcement > *nat-rewrite* > no id-randomization > no id-mismatch > no tsig enforced > > > On Sat, Feb 26, 2011 at 7:01 AM, Kingsley Charles < > [email protected]> wrote: > >> Yes it is required. >> >> Snippet from >> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632 >> >> When DNS inspection is enabled, which is the default, the security >> appliance performs the following additional tasks: >> >> •Translates the DNS record based on the configuration completed using the >> *alias*, *static* and *nat* commands (DNS Rewrite). Translation only >> applies to the A-record in the DNS reply; therefore, DNS Rewrite does not >> affect reverse lookups, which request the PTR record >> >> >> >> With regards >> Kings >> >> On Sat, Feb 26, 2011 at 2:05 AM, Pemasiri Devanarayana < >> [email protected]> wrote: >> >>> Hi, >>> >>> When we configure DNS doctoring in the ASA, do we still need to inspect >>> DNS as follows: >>> >>> policy-map global_insp >>> classs isnpection_default >>> inspect dns >>> >>> thanks >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
