Friday, 12 February 2016

ASA Service Policies

Policy maps allows us to apply specific actions on traffic that is defined by a class map.

They are applied to either one, or all (globally) interfaces.

For this scenerio I would like to apply a global policy that will DENY any DNS traffic that is attempting to lookup the domain name testing.com orginating from the source IP of 10.0.0.182.

To do this we must firstly create a service policy we will firstly have to build a class-map to identify the traffic:

access-list mytraffic extended permit tcp 10.0.0.182 255.255.255.255 any eq 53
access-list mytraffic extended permit udp 10.0.0.182 255.255.255.255 any eq 53

class-map myclassmap
match access-list mytraffic

We will then create an inspection policy map:

regex urllisttest "testing.com"

policy-map type inspect dns strictdns
parameters
match domain-name regex urllistest
drop log
exit

policy-map global_policy
class myclassmap
inspect dns strictdns

(global_policy is the default service policy that is applied to all interfaces)

Note: Also ensure that if you have any global source / dst rules in the 'global policy' that the new policy map we are creating is before these (otherwise they could cause issues.)

0 comments:

Post a comment