Other configuration examples – Cisco ASA 5505 User Manual

Page 1184

Advertising
background image

55-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 55 Configuring the Botnet Traffic Filter

Configuration Examples for the Botnet Traffic Filter

hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

hostname(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside

hostname(config)# dynamic-filter enable interface outside

hostname(config)# dynamic-filter drop blacklist interface outside

The following recommended example configuration for multiple context mode enables the Botnet
Traffic Filter for two contexts:

Example 55-2 Multiple Mode Botnet Traffic Filter Recommended Example

hostname(config)# dynamic-filter updater-client enable

hostname(config)# changeto context context1

hostname/context1(config)# dynamic-filter use-database

hostname/context1(config)# class-map dynamic-filter_snoop_class

hostname/context1(config-cmap)# match port udp eq domain

hostname/context1(config-cmap)# policy-map dynamic-filter_snoop_policy

hostname/context1(config-pmap)# class dynamic-filter_snoop_class

hostname/context1(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

hostname/context1(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface

outside

hostname/context1(config)# dynamic-filter enable interface outside

hostname/context1(config)# dynamic-filter drop blacklist interface outside

hostname/context1(config)# changeto context context2

hostname/context2(config)# dynamic-filter use-database

hostname/context2(config)# class-map dynamic-filter_snoop_class

hostname/context2(config-cmap)# match port udp eq domain

hostname/context2(config-cmap)# policy-map dynamic-filter_snoop_policy

hostname/context2(config-pmap)# class dynamic-filter_snoop_class

hostname/context2(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

hostname/context2(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface

outside

hostname/context2(config)# dynamic-filter enable interface outside

hostname/context2(config)# dynamic-filter drop blacklist interface outside

Other Configuration Examples

The following sample configuration adds static entries are to the blacklist and to the whitelist. Then, it
monitors all port 80 traffic on the outside interface, and drops blacklisted traffic. It also treats greylist
addresses as blacklisted addresses.

hostname(config)# dynamic-filter updater-client enable

hostname(config)# changeto context context1

hostname/context1(config)# dynamic-filter use-database

hostname/context1(config)# class-map dynamic-filter_snoop_class

hostname/context1(config-cmap)# match port udp eq domain

hostname/context1(config-cmap)# policy-map dynamic-filter_snoop_policy

hostname/context1(config-pmap)# class dynamic-filter_snoop_class

hostname/context1(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

hostname/context1(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface

outside

hostname/context1(config-pmap-c)# dynamic-filter blacklist

hostname/context1(config-llist)# name bad1.example.com

hostname/context1(config-llist)# name bad2.example.com

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals