Friday 12 February 2016

ASA Service Policies

Policy maps allows us to apply specific actions on traffic that is defined by a class map.

They are applied to either one, or all (globally) interfaces.

For this scenerio I would like to apply a global policy that will DENY any DNS traffic that is attempting to lookup the domain name orginating from the source IP of

To do this we must firstly create a service policy we will firstly have to build a class-map to identify the traffic:

access-list mytraffic extended permit tcp any eq 53
access-list mytraffic extended permit udp any eq 53

class-map myclassmap
match access-list mytraffic

We will then create an inspection policy map:

regex urllisttest ""

policy-map type inspect dns strictdns
match domain-name regex urllistest
drop log

policy-map global_policy
class myclassmap
inspect dns strictdns

(global_policy is the default service policy that is applied to all interfaces)

Note: Also ensure that if you have any global source / dst rules in the 'global policy' that the new policy map we are creating is before these (otherwise they could cause issues.)


Post a Comment