04-24-2010 08:55 PM - edited 03-11-2019 10:37 AM
Sorry for opening another thread, but I keep getting the following error:
------------------------------------------------------------------------------------------------------
ZR1(config)# class-map inspection_default
ZR1(config-cmap)# match default-inspection-traffic
ZR1(config-cmap)# policy-map type inspect dns preset_dns_map
ZR1(config-pmap)# parameters
ZR1(config-pmap-p)# message-length maximum 512
ZR1(config-pmap-p)# policy-map
ZR1(config-pmap-p)# policy-map gl
ZR1(config-pmap-p)# policy-map global
ZR1(config-pmap-p)# policy-map global_policy
ZR1(config-pmap)# class in
ZR1(config)# class inspection_default
ZR1(config)# class inspection_default
ZR1(config-cmap)# inspect dns present_dns_map
^
ERROR: % Invalid input detected at '^' marker.
------------------------------------------------------------------------------------------------------
Also, how do I configure the ASA to block out spyware or ads when viewing from www? Do I need to know the URL to do this?
thx
04-24-2010 09:25 PM
Here is the sequence for the configuration:
policy-map global_policy
class inspection_default
inspect dns present_dns_map
Please make sure that you type in the full "inspection_default" name otherwise, it is going back to the "config" mode, not within the policy-map mode.
In regards to spyware and adware, ASA is not able to block those. You would need to have CSC module on your ASA to block the spyware and adware.
Hope that helps.
04-24-2010 11:26 PM
For some reason, it won't accept the command.
I had to "write erase" the whole config and now is finally working.
Here is my final running-config.
How can I harden it even more?
As well, what is the following command? Can I delete or disable it?
------------------------------
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
--------------------------
thx
------------------------------------------------------------------------------
: Saved
:
ASA Version 8.3(1)
!
hostname xxxxx
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Vlan200
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan500
no forward interface Vlan800
nameif dmz
security-level 50
ip address 10.2.1.1 255.255.255.0
!
interface Vlan800
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 200
!
interface Ethernet0/1
switchport access vlan 800
!
interface Ethernet0/2
switchport access vlan 800
!
interface Ethernet0/3
switchport access vlan 800
!
interface Ethernet0/4
switchport access vlan 800
!
interface Ethernet0/5
switchport access vlan 800
!
interface Ethernet0/6
switchport access vlan 800
!
interface Ethernet0/7
switchport access vlan 500
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone xxxxx
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended deny ip any any
access-list dmz_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu dmz 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.8-192.168.1.10 inside
dhcpd dns [ISP DNS1] [ISP DNS2] interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxxxxxxx password xxxxxxxxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
-----------------------------------------------------------------
04-24-2010 11:34 PM
1) You do not need to configure ACL on the outside interface if you are not initiating inbound connection because by default, traffic from outside (low security level) to inside/dmz (higher security level) will be denied.
The following can be removed:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any
2) You have the following ACL: "access-list dmz_access_in extended deny ip any any" applied to dmz: "access-group dmz_access_in in interface dmz", which means dmz hosts are not able to initiate any connection at all towards inside and outside. Not sure if this is what you are after, but if it is, you are on the right track.
3) I also see that you have no ACL applied to your inside interface. If you want to restrict access more, you can configure ACL and applied it to the inside interface for traffic from inside towards dmz and outside. Because by default, traffic from higher security level towards lower security level is allowed. So you can restrict access from inside towards dmz and outside with specific ACL.
Hope that helps.
04-26-2010 07:30 PM
The reason you are having issues is becuase it looks like you are using tab completion when typing the class line:
ZR1(config-pmap-p)# policy-map global_policy
ZR1(config-pmap)# class in
ZR1(config)# class inspection_default
ZR1(config)# class inspection_default
Notice the prompt change? Tab completion when doing the class line results in dumping back to the (config) prompt and out of the (config-pmap) sub config. If you did not hit tab, it should have kept you in that config mode and it should have worked.
-M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide