-
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
-
About This Guide
-
Glossary
- Getting Started and General Information
- Setting Up the Adaptive Security Appliance
- Configuring Access Lists
- Configuring IP Routing
- Configuring NAT
- Configuring Service Policies Using the Modular Policy Framework
- Configuring Access Control
- Configuring Application Inspection
- Configuring Unified Communications
- Configuring Connection Settings and QoS
- Configuring Advanced Network Protection
- Configuring Applications on SSMs and SSCs
- Configuring High Availability
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
- Configuring Logging and SNMP
- System Administration
- Reference
-
Feedback
Table Of Contents
Configuring the Botnet Traffic Filter
Information About the Botnet Traffic Filter
Botnet Traffic Filter Address Categories
Botnet Traffic Filter Actions for Known Addresses
Botnet Traffic Filter Databases
Information About the Dynamic Database
Information About the Static Database
Information About the DNS Reverse Lookup Cache and DNS Host Cache
How the Botnet Traffic Filter Works
Licensing Requirements for the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Task Flow for Configuring the Botnet Traffic Filter
Configuring the Dynamic Database
Adding Entries to the Static Database
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Blocking Botnet Traffic Manually
Searching the Dynamic Database
Monitoring the Botnet Traffic Filter
Botnet Traffic Filter Syslog Messaging
Botnet Traffic Filter Commands
Configuration Examples for the Botnet Traffic Filter
Recommended Configuration Example
Feature History for the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity.
You can also supplement the Cisco dynamic database with blacklisted addresses of your choosing by adding them to a static blacklist; if the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational.
Note
If you do not want to use the Cisco dynamic database at all, because of internal requirements, you can use the static blacklist alone if you can identify all the malware sites that you want to target.
This chapter describes how to configure the Botnet Traffic Filter and includes the following sections:
•
•
•
•
•
•
Information About the Botnet Traffic Filter
This section includes information about the Botnet Traffic Filter and includes the following topics:
•
•
•
•
Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
•
•
•
•
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity, and you can optionally configure it to block suspicious traffic automatically.
Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and greylist generate syslog messages differentiated by type. See the "Botnet Traffic Filter Syslog Messaging" section for more information.
Botnet Traffic Filter Databases
The Botnet Traffic Filter uses two databases for known addresses. You can use both databases together, or you can disable use of the dynamic database and use the static database alone. This section includes the following topics:
•
•
•
Information About the Dynamic Database
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server. This database lists thousands of known bad domain names and IP addresses.
How the ASA Uses the Dynamic Database
The adaptive security appliance uses the dynamic database as follows:
1.
2.
3.
Database Files
The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command instead. Be sure to first disable use of the database by entering the no dynamic-filter use-database command.
Note
To use the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the adaptive security appliance looks inside the DNS packets for the domain name and associated IP address.
Database Traffic Types
The dynamic database includes the following types of addresses:
•
•
•
•
•
•
•
•
•
Information About the Static Database
You can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a blacklist. Static blacklist entries are always designated with a Very High threat level. You can also enter names or IP addresses in a whitelist, so that names or addresses that appear on both the dynamic blacklist and the whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist.
When you add a domain name to the static database, the adaptive security appliance waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the adaptive security appliance). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping. The adaptive security appliance uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances:
•
•
If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the adaptive security appliance looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.
If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter.
Information About the DNS Reverse Lookup Cache and DNS Host Cache
When you use the dynamic database with DNS snooping, entries are added to the DNS reverse lookup cache. If you use the static database, entries are added to the DNS host cache (see the "Information About the Static Database" section about using the static database with DNS snooping and the DNS reverse lookup cache).
Entries in the DNS reverse lookup cache and the DNS host cache have a time to live (TTL) value provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server provides a larger TTL, it is truncated to 1 day maximum.
For the DNS reverse lookup cache, after an entry times out, the adaptive security appliance renews the entry when an infected host initiates a connection to a known address, and DNS snooping occurs.
For the DNS host cache, after an entry times out, the adaptive security appliance periodically requests a refresh for the entry.
For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each.
Table 51-1 lists the maximum number of entries in the DNS reverse lookup cache per model.
Table 51-1 DNS Reverse Lookup Cache Entries per Model
ASA 5505
5000
ASA 5510
10,000
ASA 5520
20,000
ASA 5540
40,000
ASA 5550
40,000
ASA 5580
100,000
How the Botnet Traffic Filter Works
Figure 51-1 shows how the Botnet Traffic Filter works with the dynamic database plus DNS inspection with Botnet Traffic Filter snooping.
Figure 51-1 How the Botnet Traffic Filter Works with the Dynamic Database
Figure 51-2 shows how the Botnet Traffic Filter works with the static database.
Figure 51-2 How the Botnet Traffic Filter Works with the Static Database
Licensing Requirements for the Botnet Traffic Filter
The following table shows the licensing requirements for this feature:
All models
You need the following licenses:
•
•
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Failover Guidelines
Does not support replication of the DNS reverse lookup cache, DNS host cache, or the dynamic database in Stateful Failover.
IPv6 Guidelines
Does not support IPv6.
Additional Guidelines and Limitations
•
•
Default Settings
By default, the Botnet Traffic Filter is disabled, as is use of the dynamic database.
For DNS inspection, which is enabled by default, Botnet Traffic Filter snooping is disabled by default.
Configuring the Botnet Traffic Filter
This section includes the following topics:
•
•
•
•
•
•
Task Flow for Configuring the Botnet Traffic Filter
To configure the Botnet Traffic Filter, perform the following steps:
Step 1
This procedure enables database updates from the Cisco update server, and also enables use of the downloaded dynamic database by the adaptive security appliance. Disallowing use of the downloaded database is useful in multiple context mode so you can configure use of the database on a per-context basis.
Step 2
This procedure lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. You might want to use the static database instead of the dynamic database if you do not want to download the dynamic database over the Internet.
Step 3
This procedure enables inspection of DNS packets, compares the domain name with those in the dynamic database or the static database (when a DNS server for the adaptive security appliance is unavailable), and adds the name and IP address to the DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address.
Step 4
This procedure enables the Botnet Traffic Filter, which compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message or drops any matching traffic.
Step 5
If you choose not to block malware traffic automatically, you can block traffic manually by configuring an access list to deny traffic, or by using the shun command to block all traffic to and from a host.
Configuring the Dynamic Database
This procedure enables database updates, and also enables use of the downloaded dynamic database by the adaptive security appliance. Disabling use of the downloaded database is useful in multiple context mode so you can configure use of the database on a per-context basis.
By default, downloading and using the dynamic database is disabled.
Prerequisites
Enable adaptive security appliance use of a DNS server according to the "Configuring the DNS Server" section.
Detailed Steps
Examples
The following multiple mode example enables downloading of the dynamic database, and enables use of the database in context1 and context2:
hostname(config)# dynamic-filter updater-client enablehostname(config)# changeto context context1hostname/context1(config)# dynamic-filter use-databasehostname/context1(config)# changeto context context2hostname/context2(config)# dynamic-filter use-databaseThe following single mode example enables downloading of the dynamic database, and enables use of the database:
hostname(config)# dynamic-filter updater-client enablehostname(config)# dynamic-filter use-databaseWhat to Do Next
See the "Adding Entries to the Static Database" section.
Adding Entries to the Static Database
The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist or whitelist. Static blacklist entries are always designated with a Very High threat level. See the "Information About the Static Database" section for more information.
Prerequisites
•
•
Detailed Steps
Examples
The following example creates entries for the blacklist and whitelist:
hostname(config)# dynamic-filter blacklisthostname(config-llist)# name bad1.example.comhostname(config-llist)# name bad2.example.comhostname(config-llist)# address 10.1.1.1 255.255.255.0hostname(config-llist)# dynamic-filter whitelisthostname(config-llist)# name good.example.comhostname(config-llist)# name great.example.comhostname(config-llist)# name awesome.example.comhostname(config-llist)# address 10.1.1.2 255.255.255.255What to Do Next
See the "Enabling DNS Snooping" section.
Enabling DNS Snooping
This procedure enables inspection of DNS packets and enables Botnet Traffic Filter snooping, which compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address.
The following procedure creates an interface-specific service policy for DNS inspection. See the "DNS Inspection" section and Chapter 30 "Configuring a Service Policy Using the Modular Policy Framework," for detailed information about configuring advanced DNS inspection options using the Modular Policy Framework.
Prerequisites
In multiple context mode, perform this procedure in the context execution space.
Restrictions
TCP DNS traffic is not supported.
Default DNS Inspection Configuration and Recommended Configuration
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does not have DNS snooping enabled.
We suggest that you enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the adaptive security appliance.
For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface. See the "Examples" section for the recommended commands for this configuration.
Detailed Steps
Step 1
class-map name
Example:hostname(config)# class-map dynamic-filter_snoop_class
Creates a class map to identify the traffic for which you want to inspect DNS.
Step 2
match parameters
Example:hostname(config-cmap)# match port udp eq domain
Specifies traffic for the class map. See the "Identifying Traffic (Layer 3/4 Class Maps)" section for more information about available parameters. For example, you can specify an access list for DNS traffic to and from certain addresses, or you can specify all UDP DNS traffic.
Step 3
policy-map name
Example:hostname(config)# policy-map dynamic-filter_snoop_policy
Adds or edits a policy map so you can set the actions to take with the class map traffic.
Step 4
class name
Example:hostname(config-pmap)# class dynamic-filter_snoop_class
Identifies the class map you created in Step 1.
Step 5
inspect dns [map_name] dynamic-filter-snoop
Example:hostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
Enables DNS inspection with Botnet Traffic Filter snooping. To use the default DNS inspection policy map for the map_name, specify preset_dns_map for the map name. See the "DNS Inspection" section for more information about creating a DNS inspection policy map.
Step 6
service-policy policymap_name interface interface_name
Example:hostname(config)# service-policy dynamic-filter_snoop_policy interface outside
Activates the policy map on an interface. The interface-specific policy overrides the global policy. You can only apply one policy map to each interface.
Examples
The following recommended configuration creates a class map for all UDP DNS traffic, enables DNS inspection and Botnet Traffic Filter snooping with the default DNS inspection policy map, and applies it to the outside interface:
hostname(config)# class-map dynamic-filter_snoop_classhostname(config-cmap)# match port udp eq domainhostname(config-cmap)# policy-map dynamic-filter_snoop_policyhostname(config-pmap)# class dynamic-filter_snoop_classhostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoophostname(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outsideWhat to Do Next
See the "Enabling Traffic Classification and Actions for the Botnet Traffic Filter" section.
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and destination IP address in each initial connection packet to the following:
•
•
•
•
When an address matches, the adaptive security appliance sends a syslog message. The only additional action currently available is to drop the connection.
Prerequisites
In multiple context mode, perform this procedure in the context execution space.
Recommended Configuration
Although DNS snooping is not required, we recommend configuring DNS snooping for maximum use of the Botnet Traffic Filter (see the "Enabling DNS Snooping" section). Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface, and enabling dropping of traffic with a severity of moderate and higher. See the "Examples" section for the recommended commands used for this configuration.
Detailed Steps
Step 1
(Optional)
access-list access_list_name extended {deny | permit} protocol source_address mask [operator port] dest_address mask
[operator port]
Example:hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
hostname(config)# access-list dynamic-filter_acl_subset extended permit tcp 10.1.1.0 255.255.255.0 any eq 80
Identifies the traffic that you want to monitor or drop. If you do not create an access list for monitoring, by default you monitor all traffic. You can optionally use an access list to identify a subset of monitored traffic that you want to drop; be sure the access list is a subset of the monitoring access list. See Chapter 13 "Adding an Extended Access List," for more information about creating an access list.
Step 2
dynamic-filter enable [interface name] [classify-list access_list]
Example:hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
Enables the Botnet Traffic Filter; without any options, this command monitors all traffic.
We recommend enabling the Botnet Traffic Filter on all traffic on the Internet-facing interface using the interface keyword.
You can optionally limit monitoring to specific traffic by using the classify-list keyword with an access list.
You can enter this command one time for each interface and one time for the global policy (where you do not specify the interface keyword). Each interface and global command can have an optional classify-list keyword. Any interface-specific commands take precedence over the global command.
Step 3
(Optional)
dynamic-filter drop blacklist [interface name] [action-classify-list subset_access_list] [threat-level {eq level | range min max}]
Example:hostname(config)# dynamic-filter drop blacklist interface outside action-classify-list dynamic-filter_acl_subset threat-level range moderate very-high
Automatically drops malware traffic. To manually drop traffic, see the "Blocking Botnet Traffic Manually" section.
Be sure to first configure a dynamic-filter enable command to monitor any traffic you also want to drop.
The action-classify-list keyword limits the traffic dropped to a subset of monitored traffic. The dropped traffic must always be equal to or a subset of the monitored traffic. For example, if you specify an access list for the dynamic-filter enable command, and you specify the action-classify-list for this command, then it must be a subset of the dynamic-filter enable access list.
You can set an interface policy using the interface keyword, or a global policy (where you do not specify the interface keyword). Any interface-specific commands take precedence over the global command. You can enter this command multiple times for each interface and global policy. Make sure you do not specify overlapping traffic in multiple commands for a given interface/global policy. Because you cannot control the exact order that commands are matched, overlapping traffic means you do not know which command will be matched. For example, do not specify both a command that matches all traffic (without the action-classify-list keyword) as well as a command with the action-classify-list keyword for a given interface. In this case, the traffic might never match the command with the action-classify-list keyword. Similarly, if you specify multiple commands with the action-classify-list keyword, make sure each access list is unique, and that the networks do not overlap.
You can additionally limit the traffic dropped by setting the threat level. If you do not explicitly set a threat level, the level used is threat-level range moderate very-high.
Note
The level and min and max options are:
•
•
•
•
•
Note
Step 4
(Optional)
dynamic-filter ambiguous-is-black
Example:hostname(config)# dynamic-filter ambiguous-is-black
If you configured the dynamic-filter drop blacklist command, then this command treats greylisted traffic as blacklisted traffic for dropping purposes. If you do not enable this command, greylisted traffic will not be dropped. See the "Botnet Traffic Filter Address Categories" section for more information about the greylist.
Examples
The following recommended configuration monitors all traffic on the outside interface and drops all traffic at a threat level of moderate or higher:
hostname(config)# dynamic-filter enable interface outsidehostname(config)# dynamic-filter drop blacklist interface outsideIf you decide not to monitor all traffic, you can limit the traffic using an access list. The following example monitors only port 80 traffic on the outside interface, and drops traffic threat level very-high only:
hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_aclhostname(config)# dynamic-filter drop blacklist interface outside threat-level eq very-highBlocking Botnet Traffic Manually
If you choose not to block malware traffic automatically (see the "Enabling Traffic Classification and Actions for the Botnet Traffic Filter" section), you can block traffic manually by configuring an access list to deny traffic, or by using the shun command tool to block all traffic to and from a host.
For example, you receive the following syslog message:
ASA-4-338002: Dynamic Filter permitted black listed TCP traffic from inside:10.1.1.45/6798 (209.165.201.1/7890) to outside:209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.comYou can then perform one of the following actions:
•
For example, using the syslog message above, you might want to deny traffic from the infected host at 10.1.1.45 to the malware site at 209.165.202.129. Or, if there are many connections to different blacklisted addresses, you can create an access list to deny all traffic from 10.1.1.45 until you resolve the infection on the host computer. For example, the following commands deny all traffic from 10.1.1.5 to 209.165.202.129, but permits all other traffic on the inside interface:
hostname(config)# access-list BLOCK_OUT extended deny ip host 10.1.1.45 host 209.165.202.129hostname(config)# access-list BLOCK_OUT extended permit ip any anyhostname(config)# access-group BLOCK_OUT in interface insideSee Chapter 13 "Adding an Extended Access List," for more information about creating an access list, and see Chapter 32 "Configuring Access Rules," for information about applying the access list to the interface.
Note
•
Shunning blocks all connections from the host, so you should use an access list if you want to block connections to certain destination addresses and ports. To shun a host, enter the following command. To drop the current connection as well as blocking all future connections, enter the destination address, source port, destination port, and optional protocol.
hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]]For example, to block future connections from 10.1.1.45, and also drop the current connection to the malware site in the syslog message, enter:
hostname(config)# shun 10.1.1.45 209.165.202.129 6798 80See "Blocking Unwanted Connections" section for more information about shunning.
After you resolve the infection, be sure to remove the access list or the shun. To remove the shun, enter no shun src_ip.
Searching the Dynamic Database
If you want to check if a domain name or IP address is included in the dynamic database, you can search the database for a string.
Detailed Steps
Examples
The following example searches on the string "example.com", and finds 1 match:
hostname# dynamic-filter database find bad.example.combad.example.comFound 1 matchesThe following example searches on the string "bad", and finds more than 2 matches:
hostname# dynamic-filter database find badbad.example.combad.example.netFound more than 2 matches, enter a more specific string to find an exactmatchMonitoring the Botnet Traffic Filter
Whenever a known address is classified by the Botnet Traffic Filter, then a syslog message is generated. You can also monitor Botnet Traffic Filter statistics and other parameters by entering commands on the adaptive security appliance. This section includes the following topics:
•
•
Botnet Traffic Filter Syslog Messaging
The Botnet Traffic Filter generates detailed syslog messages numbered 338nnn. Messages differentiate between incoming and outgoing connections, blacklist, whitelist, or greylist addresses, and many other variables. (The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist.)
See the Cisco ASA 5500 Series System Log Messages for detailed information about syslog messages.
Botnet Traffic Filter Commands
To monitor the Botnet Traffic Filter, enter one of the following commands:
Examples
The following is sample output from the show dynamic-filter statistics command:
hostname# show dynamic-filter statisticsEnabled on interface outsideTotal conns classified 11, ingress 11, egress 0Total whitelist classified 0, ingress 0, egress 0Total greylist classified 0, dropped 0, ingress 0, egress 0Total blacklist classified 11, dropped 5, ingress 11, egress 0Enabled on interface insideTotal conns classified 1182, ingress 1182, egress 0Total whitelist classified 3, ingress 3, egress 0Total greylist classified 0, dropped 0, ingress 0, egress 0Total blacklist classified 1179, dropped 1000, ingress 1179, egress 0The following is sample output from the show dynamic-filter reports top malware-sites command:
hostname# show dynamic-filter reports top malware-sitesSite Connections logged dropped Threat Level Category--------------------------------------------------------------------------------------bad1.example.com (10.67.22.34) 11 0 2 Botnetbad2.example.com (209.165.200.225) 8 8 3 Virusbad1.cisco.example(10.131.36.158) 6 6 3 Virusbad2.cisco.example(209.165.201.1) 2 2 3 Trojanhorrible.example.net(10.232.224.2) 2 2 3 Botnetnono.example.org(209.165.202.130) 1 1 3 VirusLast clearing of the top sites report: at 13:41:06 UTC Jul 15 2009The following is sample output from the show dynamic-filter reports top malware-ports command:
hostname# show dynamic-filter reports top malware-portsPort Connections logged----------------------------------------------------------------------tcp 1000 617tcp 2001 472tcp 23 22tcp 1001 19udp 2000 17udp 2001 17tcp 8080 9tcp 80 3tcp >8192 2Last clearing of the top sites report: at 13:41:06 UTC Jul 15 2009The following is sample output from the show dynamic-filter reports top infected-hosts command:
hostname# show dynamic-filter reports top infected-hostsHost Connections logged----------------------------------------------------------------------10.10.10.51(inside) 119010.12.10.10(inside) 1010.10.11.10(inside) 5Last clearing of the top infected-hosts report: at 13:41:06 UTC Jul 15 2009Configuration Examples for the Botnet Traffic Filter
This section includes the recommended configuration for single and multiple context mode, as well as other possible configurations. This section includes the following topics:
•
Recommended Configuration Example
The following recommended example configuration for single context mode enables downloading of the dynamic database, and enables use of the database. It creates a class map for all UDP DNS traffic, enables DNS inspection and Botnet Traffic Filter snooping with the default DNS inspection policy map, and applies it to the outside interface, the Internet-facing interface.
Example 51-1 Single Mode Botnet Traffic Filter Recommended Example
hostname(config)# dynamic-filter updater-client enablehostname(config)# dynamic-filter use-databasehostname(config)# class-map dynamic-filter_snoop_classhostname(config-cmap)# match port udp eq domainhostname(config-cmap)# policy-map dynamic-filter_snoop_policyhostname(config-pmap)# class dynamic-filter_snoop_classhostname(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoophostname(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outsidehostname(config)# dynamic-filter enable interface outsidehostname(config)# dynamic-filter drop blacklist interface outsideThe following recommended example configuration for multiple context mode enables the Botnet Traffic Filter for two contexts:
Example 51-2 Multiple Mode Botnet Traffic Filter Recommended Example
hostname(config)# dynamic-filter updater-client enablehostname(config)# changeto context context1hostname/context1(config)# dynamic-filter use-databasehostname/context1(config)# class-map dynamic-filter_snoop_classhostname/context1(config-cmap)# match port udp eq domainhostname/context1(config-cmap)# policy-map dynamic-filter_snoop_policyhostname/context1(config-pmap)# class dynamic-filter_snoop_classhostname/context1(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoophostname/context1(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outsidehostname/context1(config)# dynamic-filter enable interface outsidehostname/context1(config)# dynamic-filter drop blacklist interface outsidehostname/context1(config)# changeto context context2hostname/context2(config)# dynamic-filter use-databasehostname/context2(config)# class-map dynamic-filter_snoop_classhostname/context2(config-cmap)# match port udp eq domainhostname/context2(config-cmap)# policy-map dynamic-filter_snoop_policyhostname/context2(config-pmap)# class dynamic-filter_snoop_classhostname/context2(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoophostname/context2(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outsidehostname/context2(config)# dynamic-filter enable interface outsidehostname/context2(config)# dynamic-filter drop blacklist interface outsideOther Configuration Examples
The following sample configuration adds static entries are to the blacklist and to the whitelist. Then, it monitors all port 80 traffic on the outside interface, and drops blacklisted traffic. It also treats greylist addresses as blacklisted addresses.
hostname(config)# dynamic-filter updater-client enablehostname(config)# changeto context context1hostname/context1(config)# dynamic-filter use-databasehostname/context1(config)# class-map dynamic-filter_snoop_classhostname/context1(config-cmap)# match port udp eq domainhostname/context1(config-cmap)# policy-map dynamic-filter_snoop_policyhostname/context1(config-pmap)# class dynamic-filter_snoop_classhostname/context1(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoophostname/context1(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outsidehostname/context1(config-pmap-c)# dynamic-filter blacklisthostname/context1(config-llist)# name bad1.example.comhostname/context1(config-llist)# name bad2.example.comhostname/context1(config-llist)# address 10.1.1.1 255.255.255.0hostname/context1(config-llist)# dynamic-filter whitelisthostname/context1(config-llist)# name good.example.comhostname/context1(config-llist)# name great.example.comhostname/context1(config-llist)# name awesome.example.comhostname/context1(config-llist)# address 10.1.1.2 255.255.255.255hostname/context1(config-llist)# access-list dynamic-filter_acl extended permit tcp any any eq 80hostname/context1(config)# dynamic-filter enable interface outside classify-list dynamic-filter_aclhostname/context1(config)# dynamic-filter drop blacklist interface outsidehostname/context1(config)# dynamic-filter ambiguous-is-blackhostname/context1(config)# changeto context context2hostname/context2(config)# dynamic-filter use-databasehostname/context2(config)# class-map dynamic-filter_snoop_classhostname/context2(config-cmap)# match port udp eq domainhostname/context2(config-cmap)# policy-map dynamic-filter_snoop_policyhostname/context2(config-pmap)# class dynamic-filter_snoop_classhostname/context2(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoophostname/context2(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outsidehostname/context2(config-pmap-c)# dynamic-filter blacklisthostname/context2(config-llist)# name bad1.example.comhostname/context2(config-llist)# name bad2.example.comhostname/context2(config-llist)# address 10.1.1.1 255.255.255.0hostname/context2(config-llist)# dynamic-filter whitelisthostname/context2(config-llist)# name good.example.comhostname/context2(config-llist)# name great.example.comhostname/context2(config-llist)# name awesome.example.comhostname/context2(config-llist)# address 10.1.1.2 255.255.255.255hostname/context2(config-llist)# access-list dynamic-filter_acl extended permit tcp any any eq 80hostname/context2(config)# dynamic-filter enable interface outside classify-list dynamic-filter_aclhostname/context2(config)# dynamic-filter drop blacklist interface outsidehostname/context2(config)# dynamic-filter ambiguous-is-blackWhere to Go Next
•
•
•
Feature History for the Botnet Traffic Filter
Table 51-2 lists each feature change and the platform release in which it was implemented.
