Cisco ASA 5505 User Manual

Page 1177

Advertising
background image

55-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 55 Configuring the Botnet Traffic Filter

Configuring the Botnet Traffic Filter

Recommended Configuration

Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use
of the Botnet Traffic Filter (see the

“Enabling DNS Snooping” section on page 55-10

). Without DNS

snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus
any IP addresses in the dynamic database; domain names in the dynamic database are not used.

We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and
enabling dropping of traffic with a severity of moderate and higher. See the

“Examples”

section for the

recommended commands used for this configuration.

Detailed Steps

Command

Purpose

Step 1

(Optional)

access-list

access_list_name extended

{deny | permit} protocol source_address

mask [operator port] dest_address mask

[operator port]

Example:

hostname(config)# access-list

dynamic-filter_acl extended permit tcp any

any eq 80

hostname(config)# access-list

dynamic-filter_acl_subset extended permit

tcp 10.1.1.0 255.255.255.0 any eq 80

Identifies the traffic that you want to monitor or drop. If you do
not create an access list for monitoring, by default you monitor all
traffic. You can optionally use an access list to identify a subset of
monitored traffic that you want to drop; be sure the access list is
a subset of the monitoring access list. See

Chapter 15, “Adding an

Extended Access List,”

for more information about creating an

access list.

Step 2

dynamic-filter enable

[interface name]

[classify-list access_list]

Example:

hostname(config)# dynamic-filter enable

interface outside classify-list

dynamic-filter_acl

Enables the Botnet Traffic Filter; without any options, this
command monitors all traffic.

We recommend enabling the Botnet Traffic Filter on all traffic on
the Internet-facing interface using the interface keyword.

You can optionally limit monitoring to specific traffic by using the
classify-list keyword with an access list.

You can enter this command one time for each interface and one
time for the global policy (where you do not specify the interface
keyword). Each interface and global command can have an
optional classify-list keyword. Any interface-specific commands
take precedence over the global command.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals