Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1575
Views
0
Helpful
6
Replies

SPAN traffic to ASA Firewall with Botnet feature

Go to solution
Alfred Berberich
Level 1
Level 1

‎06-07-2013 12:55 AM - edited ‎03-11-2019 06:54 PM

Hi

I create a SPAN port for all our traffic which goes to the internet .

The fraffic from the span will be directed to the ASA FW where botnet filter is active and which has access to the internet

I suppose the ASA must be configured in transparent mode for  working .

Thats right ?

Any other issues where I have to pay attention ?

sincerely Alfred                   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alfred Berberich
Level 1
Level 1

‎07-31-2013 04:44 AM

Answer from cisco :

If you want to get this working he mentioned to put this on inline mode, as mirroring would make

Duplicate packets and at some point ASA will see this as spoofed packets.

Reason: if you are mirroring the traffic, this means you have duplicate packets going to the ASA. To get the botnet to work,

This traffic needs to have a destination. So now you have legitimate traffic going out and a duplicate packets (which are mirrored)

Also going out. In return of the packets this will be dropped.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-07-2013 09:39 AM

Hello Alfred,

I suppose the ASA must be configured in transparent mode for  working .

Thats right ?

Can you tell me why it should be running transparent mode? I don't see any reason for that

Is the traffic going to go out via the ASA FW to the internet or is this some sort of just monitoring implementation ASA?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1
In response to Julio Carvajal

‎06-10-2013 04:34 AM

Hi

I do not want to actived the botnet feature on a internet firewall and so I thought only to see the infected hosts I can turn the traffic via SPAN to a other firewall where the feature is actived.

Just to see how effective the feature is .

Additional Infos : I think now regardless which mode it is .

regards

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alfred Berberich

‎06-10-2013 12:53 PM

Hello Alfred,

Well this is a feature that needs the traffic to go through the ASA as that it's how it works,

It see's the DNS A record and determine whether it's a valid good host or a bad known malicious site,

So what I am saying is : Traffic to the internet must traverse this ASA, Queries, Replies,etc. So as long as this traffic goes through it should work. I would say it should work

Let me know if U do not understand me

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1
In response to Julio Carvajal

‎07-22-2013 04:06 AM

FW configured as routed , SPAN to Interface "inside" activated .

No packet coming in , Interface count nearly null , capture only a few packets .

SPAN delivers 45 MB /sec .

I´am going to configure the fw as transparent now

Any idea why it is not working ?

Why should the fw let the packets in ?

sincerely Alfred

0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1

‎07-31-2013 04:44 AM

Answer from cisco :

If you want to get this working he mentioned to put this on inline mode, as mirroring would make

Duplicate packets and at some point ASA will see this as spoofed packets.

Reason: if you are mirroring the traffic, this means you have duplicate packets going to the ASA. To get the botnet to work,

This traffic needs to have a destination. So now you have legitimate traffic going out and a duplicate packets (which are mirrored)

Also going out. In return of the packets this will be dropped.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alfred Berberich

‎07-31-2013 09:47 AM

Hello Alfred,

Exactly, needs to be inline

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/


Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card