Cisco Systems and the ASA Services Module Manual De Usuario

26-21

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 26 Configuring the Botnet Traffic Filter

Where to Go Next

ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0

ciscoasa/context1(config-llist)# dynamic-filter whitelist

ciscoasa/context1(config-llist)# name good.example.com

ciscoasa/context1(config-llist)# name great.example.com

ciscoasa/context1(config-llist)# name awesome.example.com

ciscoasa/context1(config-llist)# address 10.1.1.2 255.255.255.255

ciscoasa/context1(config-llist)# access-list dynamic-filter_acl extended permit tcp any

any eq 80

ciscoasa/context1(config)# dynamic-filter enable interface outside classify-list

dynamic-filter_acl

ciscoasa/context1(config)# dynamic-filter drop blacklist interface outside

ciscoasa/context1(config)# dynamic-filter ambiguous-is-black

ciscoasa/context1(config)# changeto context context2

ciscoasa/context2(config)# dynamic-filter use-database

ciscoasa/context2(config)# class-map dynamic-filter_snoop_class

ciscoasa/context2(config-cmap)# match port udp eq domain

ciscoasa/context2(config-cmap)# policy-map dynamic-filter_snoop_policy

ciscoasa/context2(config-pmap)# class dynamic-filter_snoop_class

ciscoasa/context2(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

ciscoasa/context2(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface

outside

ciscoasa/context2(config-pmap-c)# dynamic-filter blacklist

ciscoasa/context2(config-llist)# name bad1.example.com

ciscoasa/context2(config-llist)# name bad2.example.com

ciscoasa/context2(config-llist)# address 10.1.1.1 255.255.255.0

ciscoasa/context2(config-llist)# dynamic-filter whitelist

ciscoasa/context2(config-llist)# name good.example.com

ciscoasa/context2(config-llist)# name great.example.com

ciscoasa/context2(config-llist)# name awesome.example.com

ciscoasa/context2(config-llist)# address 10.1.1.2 255.255.255.255

ciscoasa/context2(config-llist)# access-list dynamic-filter_acl extended permit tcp any

any eq 80

ciscoasa/context2(config)# dynamic-filter enable interface outside classify-list

dynamic-filter_acl

ciscoasa/context2(config)# dynamic-filter drop blacklist interface outside

ciscoasa/context2(config)# dynamic-filter ambiguous-is-black

Where to Go Next

•

To configure the syslog server, see

Chapter 41, “Configuring Logging,”

in the general operations

configuration guide.

•

To configure an ACL to block traffic, see

Chapter 19, “Adding an Extended Access Control List,”

in the general operations configuration guide and also see

Chapter 6, “Configuring Access Rules,”

for information about applying the ACL to the interface.

•

To shun connections, see the

“Blocking Unwanted Connections” section on page 28-2