26-21
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Where to Go Next
ciscoasa/context1(config-llist)# address 10.1.1.1 255.255.255.0
ciscoasa/context1(config-llist)# dynamic-filter whitelist
ciscoasa/context1(config-llist)# name good.example.com
ciscoasa/context1(config-llist)# name great.example.com
ciscoasa/context1(config-llist)# name awesome.example.com
ciscoasa/context1(config-llist)# address 10.1.1.2 255.255.255.255
ciscoasa/context1(config-llist)# access-list dynamic-filter_acl extended permit tcp any
any eq 80
ciscoasa/context1(config)# dynamic-filter enable interface outside classify-list
dynamic-filter_acl
ciscoasa/context1(config)# dynamic-filter drop blacklist interface outside
ciscoasa/context1(config)# dynamic-filter ambiguous-is-black
ciscoasa/context1(config)# changeto context context2
ciscoasa/context2(config)# dynamic-filter use-database
ciscoasa/context2(config)# class-map dynamic-filter_snoop_class
ciscoasa/context2(config-cmap)# match port udp eq domain
ciscoasa/context2(config-cmap)# policy-map dynamic-filter_snoop_policy
ciscoasa/context2(config-pmap)# class dynamic-filter_snoop_class
ciscoasa/context2(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop
ciscoasa/context2(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface
outside
ciscoasa/context2(config-pmap-c)# dynamic-filter blacklist
ciscoasa/context2(config-llist)# name bad1.example.com
ciscoasa/context2(config-llist)# name bad2.example.com
ciscoasa/context2(config-llist)# address 10.1.1.1 255.255.255.0
ciscoasa/context2(config-llist)# dynamic-filter whitelist
ciscoasa/context2(config-llist)# name good.example.com
ciscoasa/context2(config-llist)# name great.example.com
ciscoasa/context2(config-llist)# name awesome.example.com
ciscoasa/context2(config-llist)# address 10.1.1.2 255.255.255.255
ciscoasa/context2(config-llist)# access-list dynamic-filter_acl extended permit tcp any
any eq 80
ciscoasa/context2(config)# dynamic-filter enable interface outside classify-list
dynamic-filter_acl
ciscoasa/context2(config)# dynamic-filter drop blacklist interface outside
ciscoasa/context2(config)# dynamic-filter ambiguous-is-black
Where to Go Next
• To configure the syslog server, see Chapter 41, “Configuring Logging,” in the general operations
configuration guide.
• To configure an ACL to block traffic, see Chapter 19, “Adding an Extended Access Control List,”
in the general operations configuration guide and also see Chapter 6, “Configuring Access Rules,”
for information about applying the ACL to the interface.
• To shun connections, see the “Blocking Unwanted Connections” section on page 28-2.