Integration for ASA Overview

The Umbrella ASA Integration allows administrators to add their Cisco Adaptive Security Appliance (ASA) to their Umbrella configuration as a per-interface policy. The Umbrella connector enables the ASA to redirect DNS queries to Umbrella.


Bypass Firepower Module for Umbrella Traffic

Cisco Umbrella and ASA FirePOWER processing are not compatible for a given connection. If you want to use both services, you must exclude UDP/53 and UDP/443 from ASA FirePOWER processing. For more details, see Cisco ASA documentation.

The Umbrella connector is a part of the ASA's DNS inspection engine. If your existing DNS inspection policy map decides to block or drop a request based on your DNS inspection settings, the request is not forwarded to Umbrella.

This allows for two lines of protection: your local DNS inspection policy and your Umbrella cloud-based DNS inspection policy.

When redirecting DNS queries to Umbrella, the Umbrella connector includes an EDNS (Extension mechanisms for DNS) record. An EDNS record contains the device ID, organization ID, and client IP address. This information is used by your Umbrella policy to determine whether to block or allow traffic.

You can also elect to encrypt DNS traffic using DNSCrypt to ensure the privacy of usernames and internal IP addresses.

Note: There is not a built-in option to maintain an internal domains list. Instead, you can create a policy to bypass SSIDs from Umbrella.

For more information on Cisco's ASA, see Cisco ASA documentation.

Integration for ASA Overview > Prerequisites