09-23-2012 06:24 AM - edited 03-11-2019 04:57 PM
We used the Botnet Filter in Single Context Mode for a long Time. Now we converted to multiple Context Mode and the Database is no longer updated. In the system Context I can See the update settings but when I try to update the result is always "no DNS server". Since the system context has no interfaces there are no DNS settings etc.
How should be the Botnet Filter configured in Multiple Context Mode?
Thanks for any response in advance.
09-23-2012 07:35 AM
Botnet filter should be configured under each context as system context is not actually a data context where the actual traffic is passing through.
Here is a sample configuration on multiple context mode:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_botnet.html#wp1350582
Hope that helps.
09-23-2012 08:35 AM
Thanks!
Well this I tried before too. Here the result:
dynamic-filter updater-client
can only be set in the system context. If you do so, you get a no dns server availabe response.
As described in the document you posted all other settings are made in the needed context.
Output from system context:
show dynamic-filter updater-client
Dynamic Filter updater client is enabled
Updater server URL is https://update-manifests.ironport.com
Application name: threatcast, version: 1.0
Encrypted UDI: xxxx
Last update attempted at 17:28:45 CEDT Sep 23 2012,
with result: Failed to connect to updater server
Next update is in 00:50:59
No database file
09-24-2012 06:25 AM
You would need to specify the dns server in order to resolve the update server database. Have you configured the dns server on one of the context?
09-24-2012 09:02 AM
Yes, all contexts have a valid DNS except admin and system context.
09-25-2012 01:58 AM
From the ASA, can you please try to ping the following:
update-manifests.ironport.com
updates.ironport.com
Are you using an internal or external DNS server? and are you able to ping the DNS server?
Pls kindly share your context configuration that has the DNS server configured.
Do you also have "dns domain-lookup
09-27-2012 09:34 AM
sh run | grep dns
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
policy-map type inspect dns preset_dns_map
inspect dns preset_dns_map
ping update-manifests.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 204.15.82.17, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 160/162/170 ms
ping updates.ironport.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 80.239.221.64, timeout is 2 seconds:
!!!!!
-
ASA Version 8.4(2)
!
hostname DE-VM-TER-FW-02
enable password 8Ry2Yj8765U24 encrypted
passwd 2KFQnb6IdI.2KY75 encrypted
names
!
interface GigabitEthernet0/0.3207
nameif TR_v207
security-level 50
ip address 10.28.6.60 255.255.255.248
!
interface GigabitEthernet0/0.3208
nameif TR_v208
security-level 70
ip address 10.28.6.68 255.255.255.248
!
interface GigabitEthernet0/0.3209
nameif TR_v209
security-level 80
ip address 10.28.6.76 255.255.255.248
!
interface GigabitEthernet0/0.3210
nameif TR_v210
security-level 90
ip address 10.28.6.84 255.255.255.248
!
interface GigabitEthernet0/1
nameif COLT
security-level 0
ip address 217.111.58.46 255.255.255.240
!
interface GigabitEthernet0/3
nameif T-COM
security-level 0
ip address 194.25.250.94 255.255.255.240
!
dns domain-lookup T-COM
dns domain-lookup COLT
dns server-group DefaultDNS
name-server 8.8.8.8
object network COLT_dynamic_NAT
subnet 0.0.0.0 0.0.0.0
object network T-COM_dynamiy_NAT
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list COLT_access_in extended deny ip any any
access-list T-COM_access_in extended permit tcp any object DEUAG01-actsync eq https
access-list T-COM_access_in extended permit tcp any object DEUAG01-portal eq https
access-list T-COM_access_in extended deny ip any any
access-list TR_3208_access_in extended deny ip any object-group DM_INLINE_NETWORK_1
access-list TR_3208_access_in extended permit ip any any
access-list TR_3208_access_in extended permit icmp any any
access-list TR_v207_access_in extended deny ip any any
access-list TR_v210_access_in extended deny ip any any
access-list TR_v209_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu TR_v208 1500
mtu T-COM 1500
mtu COLT 1500
mtu TR_v207 1500
mtu TR_v210 1500
mtu TR_v209 1500
ip verify reverse-path interface T-COM
ip verify reverse-path interface COLT
ipv6 access-list TR_v207_access_ipv6_in deny ip any any
ipv6 access-list TR_v208_access_ipv6_in deny ip any any
ipv6 access-list TR_v209_access_ipv6_in deny ip any any
ipv6 access-list TR_v210_access_ipv6_in deny ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network COLT_dynamic_NAT
nat (any,COLT) dynamic interface
object network T-COM_dynamiy_NAT
nat (any,T-COM) dynamic interface
access-group TR_3208_access_in in interface TR_v208
access-group TR_v208_access_ipv6_in in interface TR_v208
access-group T-COM_access_in in interface T-COM
access-group COLT_access_in in interface COLT
access-group TR_v207_access_in in interface TR_v207
access-group TR_v207_access_ipv6_in in interface TR_v207
access-group TR_v210_access_in in interface TR_v210
access-group TR_v210_access_ipv6_in in interface TR_v210
access-group TR_v209_access_in in interface TR_v209
access-group TR_v209_access_ipv6_in in interface TR_v209
route T-COM 0.0.0.0 0.0.0.0 194.25.250.81 1
route COLT 0.0.0.0 0.0.0.0 217.111.58.33 20
route TR_v208 10.28.24.0 255.255.255.0 10.28.6.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
dynamic-filter use-database
dynamic-filter enable interface T-COM
dynamic-filter enable interface COLT
dynamic-filter drop blacklist interface T-COM
dynamic-filter drop blacklist interface COLT
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map dynamic-filter-snoop
!
service-policy global_policy global
Cryptochecksum:7bbe975fb39e189e99d8878787a0037
: end
System Context
dynamic-filter updater-client enable
Can't resolve update-manifests.ironport.com, make sure dns nameserver is configured
10-09-2012 03:37 AM
Solution:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146788
System Configuration
The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the ASA. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.
So now it works! The Admin context need to have Internet access and DNS defined.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide