Problem continues~

Unanswered Question
Apr 24th, 2010
User Badges:

Sorry for opening another thread, but I keep getting the following error:


------------------------------------------------------------------------------------------------------

ZR1(config)# class-map inspection_default

ZR1(config-cmap)# match default-inspection-traffic

ZR1(config-cmap)# policy-map type inspect dns preset_dns_map

ZR1(config-pmap)# parameters

ZR1(config-pmap-p)# message-length maximum 512

ZR1(config-pmap-p)# policy-map

ZR1(config-pmap-p)# policy-map gl

ZR1(config-pmap-p)# policy-map global

ZR1(config-pmap-p)# policy-map global_policy

ZR1(config-pmap)# class in

ZR1(config)# class inspection_default

ZR1(config)# class inspection_default

ZR1(config-cmap)# inspect dns present_dns_map

                    ^

ERROR: % Invalid input detected at '^' marker.

------------------------------------------------------------------------------------------------------


Also, how do I configure the ASA to block out spyware or ads when viewing from www? Do I need to know the URL to do this?


thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 04/24/2010 - 21:25
User Badges:
  • Cisco Employee,

Here is the sequence for the configuration:


policy-map global_policy

     class inspection_default

          inspect dns present_dns_map


Please make sure that you type in the full "inspection_default" name otherwise, it is going back to the "config" mode, not within the policy-map mode.


In regards to spyware and adware, ASA is not able to block those. You would need to have CSC module on your ASA to block the spyware and adware.


Hope that helps.

SPERTWCISCO Sat, 04/24/2010 - 23:26
User Badges:

For some reason, it won't accept the command.


I had to "write erase" the whole config and now is finally working.


Here is my final running-config.


How can I harden it even more?


As well, what is the following command? Can I delete or disable it?


------------------------------



call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

--------------------------


thx


------------------------------------------------------------------------------

: Saved

:

ASA Version 8.3(1)

!

hostname xxxxx

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

!

interface Vlan200

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan500

no forward interface Vlan800

nameif dmz

security-level 50

ip address 10.2.1.1 255.255.255.0

!

interface Vlan800

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 200

!

interface Ethernet0/1

switchport access vlan 800

!

interface Ethernet0/2

switchport access vlan 800

!

interface Ethernet0/3

switchport access vlan 800

!

interface Ethernet0/4

switchport access vlan 800

!

interface Ethernet0/5

switchport access vlan 800

!

interface Ethernet0/6

switchport access vlan 800

!

interface Ethernet0/7

switchport access vlan 500

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone xxxxx

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_access_in extended deny ip any any

access-list dmz_access_in extended deny ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu dmz 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.8-192.168.1.10 inside

dhcpd dns [ISP DNS1] [ISP DNS2] interface inside

dhcpd enable inside

!


threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username xxxxxxxx password xxxxxxxxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:xxxxxxxxxxxxxxxx

: end

asdm image disk0:/asdm-631.bin

no asdm history enable

-----------------------------------------------------------------

Jennifer Halim Sat, 04/24/2010 - 23:34
User Badges:
  • Cisco Employee,

1) You do not need to configure ACL on the outside interface if you are not initiating inbound connection because by default, traffic from outside (low security level) to inside/dmz (higher security level) will be denied.


The following can be removed:

access-group outside_access_in in interface outside

access-list outside_access_in extended deny ip any any


2) You have the following ACL: "access-list dmz_access_in extended deny ip any any" applied to dmz: "access-group dmz_access_in in interface dmz", which means dmz hosts are not able to initiate any connection at all towards inside and outside. Not sure if this is what you are after, but if it is, you are on the right track.


3) I also see that you have no ACL applied to your inside interface. If you want to restrict access more, you can configure ACL and applied it to the inside interface for traffic from inside towards dmz and outside. Because by default, traffic from higher security level towards lower security level is allowed. So you can restrict access from inside towards dmz and outside with specific ACL.


Hope that helps.

Magnus Mortensen Mon, 04/26/2010 - 19:30
User Badges:
  • Cisco Employee,

The reason you are having issues is becuase it looks like you are using tab completion when typing the class line:


ZR1(config-pmap-p)# policy-map global_policy

ZR1(config-pmap)#  class in

ZR1(config)# class inspection_default

ZR1(config)#  class inspection_default


Notice the prompt change? Tab completion when doing the class line results in dumping back to the (config) prompt and out of the (config-pmap) sub config. If you did not hit tab, it should have kept you in that config mode and it should have worked.


-M

Actions

This Discussion