Cisco Systems ASA 5505 Webcam User Manual


 
26-10
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic
Filter. See the “DNS Inspection” section on page 11-1 and Chapter 1, “Configuring a Service
Policy,” for detailed information about configuring advanced DNS inspection options using the
Modular Policy Framework.
Note You can also configure DNS snooping directly in the Configuration > Firewall > Service
Policy Rules > Rule Actions > Protocol Inspection > Select DNS Inspect Map dialog box by
checking the Enable Botnet traffic filter DNS snooping check box.
Restrictions
TCP DNS traffic is not supported.
Default DNS Inspection Configuration and Recommended Configuration
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does
not have DNS snooping enabled.
We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the ASA.
For example, if the DNS server is on the outside interface, you should enable DNS inspection with
snooping for all UDP DNS traffic on the outside interface.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Botnet Traffic Filter > DNS Snooping pane.
All existing service rules that include DNS inspection are listed in the table.
Step 2 For each rule for which you want to enable DNS snooping, in the DNS Snooping Enabled column, check
the check box.
Step 3 Click Apply.
What to Do Next
See the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page 26-10.
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and
destination IP address in each initial connection packet to the following:
Dynamic database IP addresses
Static database IP addresses
DNS reverse lookup cache (for dynamic database domain names)
DNS host cache (for static database domain names)