-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
dns domain-lookup through dynamic-filter whitelist Commands
domain-name (dns server-group)
dynamic-filter ambiguous-is-black
dynamic-filter updater-client enable
dns domain-lookup through dynamic-filter whitelist Commands
dns domain-lookup
To enable the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands, use the dns domain-lookup command in global configuration mode. To disable DNS requests, use the no form of this command.
dns domain-lookup interface_name
no dns domain-lookup interface_name
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The command enable the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.
Examples
The following example enable the ASA to send DNS requests to a DNS server to perform a name lookup for the inside interface:
hostname(config)# dns domain-lookup insideRelated Commands
dns expire-entry-timer
To remove the IP address of a resolved FQDN after its TTL expires, use the dns expire-entry-timer command in global configuration mode. To remove the timer, use the no form of this command.
dns expire-entry-timer minutes minutes
no dns expire-entry-timer minutes minutes
Syntax Description
Defaults
By default, the DNS expire-entry-timer value is 1 minute.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The command specifies the time to remove the IP address of a resolved FQDN after its TTL expires. When the IP address is removed, the ASA recompiles the tmatch lookup table.
Specifying this command is only effective when the associated network object for the DNS is activated.
The default DNS expire-entry-timer value is 1 minute, which means that IP addresses are removed 1 minute after the TTL of the DNS entry expires.
Note
Examples
The following example removes resolved entries after 240 minutes:
hostname(config)# dns expire-entry-timer minutes 240Related Commands
dns name-server
To configure a DNS server for the ASA, user the dns name-server command in global configuration mode. To remove the configuration, use the no form of this command.
dns name-server ipv4_addr | ipv6_addr
no dns name-server ipv4_addr | ipv6_addr
Syntax Description
ipv4_addr
Specifies the IPv4 address of the DNS server.
ipv6_addr
Specifies the IPv6 address of the DNS server.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
8.4(2)
This command was introduced.
9.0(1)
Support of IPv6 addresses was added.
Usage Guidelines
Use this command to identify a DNS server address for the ASA. The ASA supports both IPv4 and IPv6 addresses for DNS servers.
Examples
The following example configures a DNS server with an IPv6 address:
hostname(config)# dns domain-lookuphostname(config)# dns name-server 8080:1:2::2hostname(config)# dns retries 4hostname(config)# dns timeout 10Related Commands
dns poll-timer
To specify the timer during which the ASA queries the DNS server to resolve fully qualified domain names (FQDN) that are defined in a network object group, use the dns poll-timer command in global configuration mode. To remove the timer, use the no form of this command.
dns poll-timer minutes minutes
no dns poll-timer minutes minutes
Syntax Description
Defaults
By default, the DNS timer is 240 minutes or 4 hours.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
This command specifies the timer during which the ASA queries the DNS server to resolve the FQDN that was defined in a network object group. A FQDN is resolved periodically when the poll DNS timer has expired or when the TTL of the resolved IP entry has expired, whichever comes first.
This command has effect only when at least one network object group has been activated.
Examples
The following example sets the DNS poll timer to 240 minutes:
hostname(config)# dns poll-timer minutes 240Related Commands
dns update
To start DNS lookup to resolve the designated hostnames without waiting for the expiration of the DNS poll timer, use the dns update command in privileged EXEC mode.
dns update [host fqdn_name] [timeout seconds seconds]
Syntax Description
host fqdn_name
Specifies the fully qualified domain name of the host on which to run DNS updates.
timeout seconds seconds
Specifies the timeout in seconds.
Defaults
By default, the timeout is 30 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC mode
•
—
•
—
—
Command History
Usage Guidelines
This command immediately starts a DNS lookup to resolve the designated hostnames without waiting for the expiration of the DNS poll timer. When you run DNS update without specifying an option, all activated host groups and FQDN hosts are selected for DNS lookup. When the command finishes running, the ASA displays [Done] at the command prompt and generates a syslog message.
When the update operation starts, a starting update log is created. When the update operation finishes or is aborted after the timer has expired, another syslog message is generated. Only one outstanding DNS update operation is allowed. If you reissue the command, an error message appears.
Examples
The following example performs a DNS update:
hostname# dns updatehostname# ...hostname# [Done] dns updateRelated Commands
dns-group
To specify the DNS server to use for a WebVPN tunnel group, use the dns-group command in tunnel-group webvpn configuration mode. To restore the default DNS group, use the no form of this command.
dns-group name
no dns-group
Syntax Description
Defaults
The default value is DefaultDNS.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn-attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
The name can specify any DNS group. The dns-group command resolves the hostname to the appropriate DNS server for the tunnel group.
You configure the DNS group using the dns server-group command.
Examples
The following example shows a customization command that specifies the use of the DNS group named "dnsgroup1":
hostname(config)# tunnel-group test type webvpnhostname(config)# tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# dns-group dnsgroup1hostname(config-tunnel-webvpn)#Related Commands
dns-guard
To enable the DNS guard function, which enforces one DNS response per query, use the dns-guard command in parameters configuration mode. To disable this feature, use the no form of this command.
dns-guard
no dns-guard
Syntax Description
This command has no arguments or keywords.
Defaults
DNS guard is enabled by default. This feature can be enabled when the inspect dns command is configured even if a policy-map type inspect dns command is not defined. To disable, the no dns-guard command must explicitly be stated in the policy map configuration. If the inspect dns command is not configured, the behavior is determined by the global dns-guard command.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
The identification field in the DNS header is used to match the DNS response with the DNS header. One response per query is allowed through the ASA.
Examples
The following example shows how to enable DNS guard in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# parametershostname(config-pmap-p)# dns-guardRelated Commands
dns-server
To set the IP address of the primary and secondary DNS servers, use the dns-server command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command.
dns-server {value ip_address [ip_address] | none}
no dns-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
This command allows inheritance of a DNS server from another group policy. To prevent inheriting a server, use the dns-server none command.
Each time you issue the dns-server command, you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same holds true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.
Examples
The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, 10.10.10.30, and 10.10.10.45 for the group policy named FirstGroup.
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#dns-server value 10.10.10.15 10.10.10.30 10.10.10.45Related Commands
clear configure dns
Removes all DNS commands.
show running-config dns server-group
Shows the current running DNS server group configuration.
dns server-group
To specify the domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.
dns server -group name
no dns server-group
Syntax Description
Defaults
The default value is DefaultDNS.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The name can specify any DNS group. You configure the DNS group using the dns server-group command.
Examples
The following example configures a DNS server group named "eval":
hostname(config)# dns server-group evalhostname(config-dns-server-group)# domain-name cisco.comhostname(config-dns-server-group)# name-server 192.168.10.10hostname(config-dns-server-group)# retries 5hostname(config-dns-server-group)# timeout 7hostname(config-dns-server-group)#Related Commands
clear configure dns
Removes all DNS commands.
show running-config dns server-group
Shows the current running DNS server group configuration.
domain-name
To set the default domain name, use the domain-name command in global configuration mode. To remove the domain name, use the no form of this command.
domain-name name
no domain-name [name]
Syntax Description
Defaults
The default domain name is default.domain.invalid.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
•
Command History
Usage Guidelines
The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com" and specify a syslog server by the unqualified name of "jupiter," then the ASA qualifies the name to "jupiter.example.com." For multiple context mode, you can set the domain name for each context, as well as within the system execution space.
Examples
The following example sets the domain to example.com:
hostname(config)# domain-name example.comRelated Commands
domain-name (dns server-group)
To set the default domain name, use the domain-name command in dns server-group configuration mode. To remove the domain name, use the no form of this command.
domain-name name
no domain-name [name]
Syntax Description
Defaults
The default domain name is default.domain.invalid.
Command Modes
The following table shows the modes in which you can enter the command:
Dns server-group configuration
•
•
•
•
•
Command History
7.1(1)
This command replaces the dns domain-lookup command, which has been deprecated.
Usage Guidelines
The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to "example.com," and specify a syslog server by the unqualified name of "jupiter," then the ASA qualifies the name to "jupiter.example.com." For multiple context mode, you can set the domain name for each context, as well as within the system execution space.
Examples
The following example sets the domain to "example.com" for "dnsgroup1":
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# domain-name example.comRelated Commands
downgrade
To downgrade your software version, use the downgrade command in global configuration mode.
downgrade [/noconfirm] old_image_url old_config_url [activation-key old_key]
Syntax Description
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
This command is a shortcut for completing the following functions:
1.
2.
3.
4.
5.
6.
Examples
The following example downgrades without confirming:
hostname(config)# downgrade /noconfirm disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.savRelated Commands
download-max-size
To specify the maximum size allowed for an object to download, use the download-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.
download-max-size size
no download-max-size
Syntax Description
Defaults
The default size is 2147483647.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy webvpn configuration mode
•
—
•
—
—
Command History
Usage Guidelines
Setting the size to 0 effectively disallows object downloading.
Examples
The following example sets the maximum size for a downloaded object to 1500 bytes:
hostname(config)#group-policy test attributeshostname(config-group-policy)#webvpnhostname(config-group-webvpn)#download-max-size 1500Related Commands
drop
To drop all packets that match the match command or class command, use the drop command in match or class configuration mode. To disable this action, use the no form of this command.
drop [send-protocol-error] [log]
no drop [send-protocol-error] [log]
Syntax Description
log
Logs the match. The syslog message number depends on the application.
send-protocol-error
Sends a protocol error message.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
When using the Modular Policy Framework, drop packets that match a match command or class map by using the drop command in match or class configuration mode. This drop action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action.
An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the drop command to drop all packets that match the match command or class command.
If you drop a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to drop the packet, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as dropping the packet, can occur. You can configure both the drop and the log action for the same match or class command, in which case the packet is logged before it is dropped for a given match.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect http http_policy_map command where http_policy_map is the name of the inspection policy map.
Examples
The following example drops packets and sends a log when they match the HTTP traffic class map. If the same packet also matches the second match command, it will not be processed because it was already dropped.
hostname(config-cmap)# policy-map type inspect http http-map1hostname(config-pmap)# class http-traffichostname(config-pmap-c)# drop loghostname(config-pmap-c)# match req-resp content-type mismatchhostname(config-pmap-c)# reset logRelated Commands
drop-connection
When using the Modular Policy Framework, drop packets and close the connection for traffic that matches a match command or class map by using the drop-connection command in match or class configuration mode. To disable this action, use the no form of this command.
drop-connection [send-protocol-error] [log]
no drop-connection [send-protocol-error] [log]
Syntax Description
send-protocol-error
Sends a protocol error message.
log
Logs the match. The system log message number depends on the application.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Match and class configuration
•
•
•
•
—
Command History
Usage Guidelines
The connection will be removed from the connection database on the ASA. Any subsequent packets entering the ASA for the dropped connection will be discarded. This drop-connection action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the drop-connection command to drop packets and close the connection for traffic that matches the match command or class command.
If you drop a packet or close a connection, then no further actions are performed in the inspection policy map. For example, if the first action is to drop the packet and close the connection, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as dropping the packet, can occur. You can configure both the drop-connection and the log action for the same match or class command, in which case the packet is logged before it is dropped for a given match.
When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action. For example, enter the inspect http http_policy_map command, where http_policy_map is the name of the inspection policy map.
Examples
The following example drops packets, closes the connection, and sends a log when they match the http-traffic class map. If the same packet also matches the second match command, it will not be processed because it was already dropped.
hostname(config-cmap)# policy-map type inspect http http-map1hostname(config-pmap)# class http-traffichostname(config-pmap-c)# drop-connection loghostname(config-pmap-c)# match req-resp content-type mismatchhostname(config-pmap-c)# reset logRelated Commands
dtls port
To specify a port for DTLS connections, use the dtls port command from webvpn configuration mode. To remove the command from the configuration, use the no form of this command:
dtls port number
no dtls port number
Syntax Description
Defaults
The default port number is 443.
Command Modes
The following table shows the modes in which you can enter the command:
Webvpn configuration
•
—
•
—
—
Command History
Usage Guidelines
This command specifies the UDP port to be used for SSL VPN connections using DTLS.
DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
Examples
The following example enters webvpn configuration mode and specifies port 444 for DTLS:
hostname(config)# webvpnhostname(config-webvpn)# dtls port 444Related Commands
duplex
To set the duplex of a copper (RJ-45) Ethernet interface, use the duplex command in interface configuration mode. To restore the duplex setting to the default, use the no form of this command.
duplex {auto | full | half}
no duplex
Syntax Description
auto
Auto-detects the duplex mode.
full
Sets the duplex mode to full duplex.
half
Sets the duplex mode to half duplex.
Defaults
The default is auto detect.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
•
Command History
7.0(1)
This command was moved from a keyword of the interface command to an interface configuration mode command.
Usage Guidelines
Set the duplex mode on the physical interface only.
The duplex command is not available for fiber media.
If your network does not support auto detection, set the duplex mode to a specific value.
For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.
If you set the duplex to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.
Examples
The following example sets the duplex mode to full duplex:
hostname(config)# interface gigabitethernet0/1hostname(config-if)# speed 1000hostname(config-if)# duplex fullhostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
dynamic-access-policy-config
To configure a DAP record and the access policy attributes associated with it, use the dynamic-access-policy-config command in global configuration mode. To remove an existing DAP configuration, use the no form of this command.
dynamic-access-policy-config name | activate
no dynamic-access-policy-config
Syntax Description
activate
Activates the DAP selection configration file.
name
Specifies the name of the DAP record. The name can be up to 64 characters long and cannot contain spaces.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration (name)
•
•
•
•
—
Privileged EXEC (activate)
•
•
•
•
—
Command History
8.0(2)
This command was introduced.
9.0(1)
Support for multiple context mode was added.
Usage Guidelines
Use the dynamic-access-policy-config command in global configuration mode to create one or more DAP records. To activate a DAP selection configuration file, use the dynamic-access-policy-config command with the activate argument.
When you use this command, you enter dynamic-access-policy-record mode, in which you can set attributes for the named DAP record. The commands you can use in dynamic-access-policy-record mode include the following:
•
•
•
•
•
•
Examples
The following example shows how to configure the DAP record named user1:
hostname(config)# dynamic-access-policy-config user1hostname(config-dynamic-access-policy-record)#Related Commands
dynamic-access-policy-record
To create a DAP record and populate it with access policy attributes, use the dynamic-access-policy-record command in global configuration mode. To remove an existing DAP record, use the no form of this command.
dynamic-access-policy-record name
no dynamic-access-policy-record name
Syntax Description
name
Specifies the name of the DAP record. The name can be up to 64 characters long and cannot contain spaces.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
Use the dynamic-access-policy-record command in global configuration mode to create one or more DAP records. When you use this command, you enter dynamic-access-policy-record mode, in which you can set attributes for the named DAP record. The commands you can use in dynamic-access-policy-record mode include the following:
•
•
•
•
•
•
Examples
The following example shows how to create a DAP record named Finance.
hostname(config)# dynamic-access-policy-record Financehostname(config-dynamic-access-policy-record)#Related Commands
dynamic-filter ambiguous-is-black
To treat Botnet Traffic Filter greylisted traffic as blacklisted traffic for dropping purposes, use the dynamic-filter ambiguous-is-black command in global configuration mode. To allow greylisted traffic, use the no form of this command.
dynamic-filter ambiguous-is-black
no dynamic-filter ambiguous-is-black
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you configured the dynamic-filter enable command and then the dynamic-filter drop blacklist command, this command treats greylisted traffic as blacklisted traffic for dropping purposes. If you do not enable this command, greylisted traffic will not be dropped.
Ambiguous addresses are associated with multiple domain names, but not all of these domain names are on the blacklist. These addresses are on the greylist.
Examples
The following example monitors all port 80 traffic on the outside interface, and then drops blacklisted and greylisted traffic at a threat level of moderate or greater:
hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_aclhostname(config)# dynamic-filter drop blacklist interface outsidehostname(config)# dynamic-filter ambiguous-is-blackRelated Commands
dynamic-filter blacklist
To edit the Botnet Traffic Filter blacklist, use the dynamic-filter blacklist command in global configuration mode. To remove the blacklist, use the no form of this command.
dynamic-filter blacklist
no dynamic-filter blacklist
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
After you enter the dynamic-filter blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a blacklist using the address and name commands. You can also enter names or IP addresses in a whitelist (see the dynamic-filter whitelist command), so that names or addresses that appear on both the dynamic blacklist and whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist.
Static blacklist entries are always designated with a Very High threat level.
When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). The ASA uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances:
•
•
If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.
The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist.
If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter.
Note
Examples
The following example creates entries for the blacklist and whitelist:
hostname(config)# dynamic-filter blacklisthostname(config-llist)# name bad1.example.comhostname(config-llist)# name bad2.example.comhostname(config-llist)# address 10.1.1.1 255.255.255.0hostname(config-llist)# dynamic-filter whitelisthostname(config-llist)# name good.example.comhostname(config-llist)# name great.example.comhostname(config-llist)# name awesome.example.comhostname(config-llist)# address 10.1.1.2 255.255.255.255Related Commands
dynamic-filter database fetch
To test the download of the dynamic database for the Botnet Traffic Filter, use the dynamic-filter database fetch command in privileged EXEC mode.
dynamic-filter database fetch
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The actual database is not stored on the ASA; it is downloaded and then discarded. Use this command for testing purposes only.
Examples
The following example tests the download of the dynamic database:
hostname# dynamic-filter database fetchRelated Commands
dynamic-filter database find
To check if a domain name or IP address is included in the dynamic database for the Botnet Traffic Filter, use the dynamic-filter database find command in privileged EXEC mode.
dynamic-filter database find string
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
If there are multiple matches, the first two matches are shown. To refine your search for a more specific match, enter a longer string.
Examples
The following example searches on the string "example.com," and finds one match:
hostname# dynamic-filter database find bad.example.combad.example.comFound 1 matchesThe following example searches on the string "bad," and finds more than two matches:
hostname# dynamic-filter database find badbad.example.combad.example.netFound more than 2 matches, enter a more specific string to find an exactmatchRelated Commands
dynamic-filter database purge
To manually delete the Botnet Traffic Filter dynamic database from running memory, use the dynamic-filter database purge command in privileged EXEC mode.
dynamic-filter database purge
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Privileged EXEC
•
•
•
•
•
Command History
Usage Guidelines
The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command.
Before you can purge the database files, disable use of the database using the no dynamic-filter use-database command.
Examples
The following example disables use of the database, and then purges the database:
hostname(config)# no dynamic-filter use-databasehostname(config)# dynamic-filter database purgeRelated Commands
dynamic-filter drop blacklist
To automatically drop blacklisted traffic using the Botnet Traffic Filter, use the dynamic-filter drop blacklist command in global configuration mode. To disable the automatic dropping, use the no form of this command.
dynamic-filter drop blacklist [interface name] [action-classify-list subset_access_list] [threat-level {eq level | range min max}]
no dynamic-filter drop blacklist [interface name] [action-classify-list subset_access_list] [threat-level {eq level | range min max}]
Syntax Description
Defaults
This command is disabled by default.
The default threat level is threat-level range moderate very-high.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Be sure to first configure a dynamic-filter enable command for any traffic you want to drop; the dropped traffic must always be equal to or a subset of the monitored traffic.
You can enter this command multiple times for each interface and global policy. Make sure you do not specify overlapping traffic in multiple commands for a given interface/global policy. Because you cannot control the exact order that commands are matched, overlapping traffic means you do not know which command will be matched. For example, do not specify both a command that matches all traffic (without the action-classify-list keyword) as well as a command with the action-classify-list keyword for a given interface. In this case, the traffic might never match the command with the action-classify-list keyword. Similarly, if you specify multiple commands with the action-classify-list keyword, make sure each access list is unique, and that the networks do not overlap.
Examples
The following example monitors all port 80 traffic on the outside interface, and then drops traffic at a threat level of moderate or greater:
hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_aclhostname(config)# dynamic-filter drop blacklist interface outsideRelated Commands
dynamic-filter enable
To enable the Botnet Traffic Filter, use the dynamic-filter enable command in global configuration mode. To disable the Botnet Traffic Filter, use the no form of this command.
dynamic-filter enable [interface name] [classify-list access_list]
no dynamic-filter enable [interface name] [classify-list access_list]
Syntax Description
Defaults
The Botnet Traffic Filter is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The Botnet Traffic Filter compares the source and destination IP address in each initial connection packet to the IP addresses in the dynamic database, static database, DNS reverse lookup cache, and DNS host cache, and sends a syslog message or drops any matching traffic.
Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database of known bad domain names and IP addresses, and then logs any suspicious activity. You can also supplement the dynamic database with a static database by entering IP addresses or domain names in a local "blacklist" or "whitelist."
The DNS snooping is enabled separately (see the inspect dns dynamic-filter-snoop command). Typically, for maximum use of the Botnet Traffic Filter, you need to enable DNS snooping, but you can use Botnet Traffic Filter logging independently if desired. Without DNS snooping for the dynamic database, the Botnet Traffic Filter uses only the static database entries, plus any IP addresses in the dynamic database; domain names in the dynamic database are not used.
Botnet Traffic Filter Address Categories
Addresses monitored by the Botnet Traffic Filter include:
•
•
•
•
Botnet Traffic Filter Actions for Known Addresses
You can configure the Botnet Traffic Filter to log suspicious activity using the dynamic-filter enable conmmand, and you can optionally configure it to block suspicious traffic automatically using the dynamic-filter drop blacklist command.
Unlisted addresses do not generate any syslog messages, but addresses on the blacklist, whitelist, and greylist generate syslog messages differentiated by type. The Botnet Traffic Filter generates detailed syslog messages numbered 338nnn. Messages differentiate between incoming and outgoing connections, blacklist, whitelist, or greylist addresses, and many other variables. (The greylist includes addresses that are associated with multiple domain names, but not all of these domain names are on the blacklist.)
See the syslog messages guide for detailed information about syslog messages.
Examples
The following example monitors all port 80 traffic on the outside interface, and then drops traffic at a threat level of moderate or greater:
hostname(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80hostname(config)# dynamic-filter enable interface outside classify-list dynamic-filter_aclhostname(config)# dynamic-filter drop blacklist interface outsideRelated Commands
dynamic-filter updater-client enable
To enable downloading of the dynamic database from the Cisco update server for the Botnet Traffic Filter, use the dynamic-filter updater-client enable command in global configuration mode. To disable downloading of the dynamic database, use the no form of this command.
dynamic-filter updater-client enable
no dynamic-filter updater-client enable
Syntax Description
This command has no arguments or keywords.
Defaults
Downloading is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
If you do not have a database already installed on the ASA, it downloads the database after approximately 2 minutes. The update server determines how often the ASA polls the server for future updates, typically every hour.
The Botnet Traffic Filter can receive periodic updates for the dynamic database from the Cisco update server.
This database lists thousands of known bad domain names and IP addresses. When the domain name in a DNS reply matches a name in the dynamic database, the Botnet Traffic Filter adds the name and IP address to the DNS reverse lookup cache. When the infected host starts a connection to the IP address of the malware site, then the ASA sends a syslog message informing you of the suspicious activity.
To use the database, be sure to configure a domain name server for the ASA so that it can access the URL. To use the domain names in the dynamic database, you need to enable DNS packet inspection with Botnet Traffic Filter snooping; the ASA looks inside the DNS packets for the domain name and associated IP address.
In some cases, the IP address itself is supplied in the dynamic database, and the Botnet Traffic Filter logs any traffic to that IP address without having to inspect DNS requests.
The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command.
Note
Examples
The following multiple mode example enables downloading of the dynamic database, and enables use of the database in context1 and context2:
hostname(config)# dynamic-filter updater-client enablehostname(config)# changeto context context1hostname/context1(config)# dynamic-filter use-databasehostname/context1(config)# changeto context context2hostname/context2(config)# dynamic-filter use-databaseThe following single mode example enables downloading of the dynamic database, and enables use of the database:
hostname(config)# dynamic-filter updater-client enablehostname(config)# dynamic-filter use-databaseRelated Commands
dynamic-filter use-database
To enable use of the dynamic database for the Botnet Traffic Filter, use the dynamic-filter use-database command in global configuration mode. To disable use of the dynamic database, use the no form of this command.
dynamic-filter use-database
no dynamic-filter use-database
Syntax Description
This command has no arguments or keywords.
Defaults
Use of the database is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Disabling use of the downloaded database is useful in multiple context mode, so you can configure use of the database on a per-context basis. To enable downloading of the dynamic database, see the dynamic-filter updater-client enable command.
Examples
The following multiple mode example enables downloading of the dynamic database, and enables use of the database in context1 and context2:
hostname(config)# dynamic-filter updater-client enablehostname(config)# changeto context context1hostname/context1(config)# dynamic-filter use-databasehostname/context1(config)# changeto context context2hostname/context2(config)# dynamic-filter use-databaseThe following single mode example enables downloading of the dynamic database, and enables use of the database:
hostname(config)# dynamic-filter updater-client enablehostname(config)# dynamic-filter use-databaseRelated Commands
dynamic-filter whitelist
To edit the Botnet Traffic Filter whitelist, use the dynamic-filter whitelist command in global configuration mode. To remove the whitelist, use the no form of this command.
dynamic-filter whitelist
no dynamic-filter whitelist
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist. After you enter the dynamic-filter whitelist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist using the address and name commands. Names or addresses that appear on both the dynamic blacklist and static whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist. You can enter names or IP addresses in the static blacklist using the dynamic-filter blacklist command.
When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). The ASA uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances:
•
•
If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.
If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter.
Note
Examples
The following example creates entries for the blacklist and whitelist:
hostname(config)# dynamic-filter blacklisthostname(config-llist)# name bad1.example.comhostname(config-llist)# name bad2.example.comhostname(config-llist)# address 10.1.1.1 255.255.255.0hostname(config-llist)# dynamic-filter whitelisthostname(config-llist)# name good.example.comhostname(config-llist)# name great.example.comhostname(config-llist)# name awesome.example.comhostname(config-llist)# address 10.1.1.2 255.255.255.255Related Commands
