Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1863
Views
0
Helpful
6
Replies

SPAN traffic to ASA Firewall with Botnet feature

Go to solution
Alfred Berberich
Level 1
Level 1

ā€Ž06-07-2013 12:55 AM - edited ā€Ž03-11-2019 06:54 PM

Hi

I create a SPAN port for all our traffic which goes to the internet .

The fraffic from the span will be directed to the ASA FW where botnet filter is active and which has access to the internet

I suppose the ASA must be configured in transparent mode for  working .

Thats right ?

Any other issues where I have to pay attention ?

sincerely Alfred                   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alfred Berberich
Level 1
Level 1

ā€Ž07-31-2013 04:44 AM

Answer from cisco :

If you want to get this working he mentioned to put this on inline mode, as mirroring would make

Duplicate packets and at some point ASA will see this as spoofed packets.

Reason: if you are mirroring the traffic, this means you have duplicate packets going to the ASA. To get the botnet to work,

This traffic needs to have a destination. So now you have legitimate traffic going out and a duplicate packets (which are mirrored)

Also going out. In return of the packets this will be dropped.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž06-07-2013 09:39 AM

Hello Alfred,

I suppose the ASA must be configured in transparent mode for  working .

Thats right ?

Can you tell me why it should be running transparent mode? I don't see any reason for that

Is the traffic going to go out via the ASA FW to the internet or is this some sort of just monitoring implementation ASA?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1
In response to Julio Carvajal

ā€Ž06-10-2013 04:34 AM

Hi

I do not want to actived the botnet feature on a internet firewall and so I thought only to see the infected hosts I can turn the traffic via SPAN to a other firewall where the feature is actived.

Just to see how effective the feature is .

Additional Infos : I think now regardless which mode it is .

regards

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alfred Berberich

ā€Ž06-10-2013 12:53 PM

Hello Alfred,

Well this is a feature that needs the traffic to go through the ASA as that it's how it works,

It see's the DNS A record and determine whether it's a valid good host or a bad known malicious site,

So what I am saying is : Traffic to the internet must traverse this ASA, Queries, Replies,etc. So as long as this traffic goes through it should work. I would say it should work

Let me know if U do not understand me

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1
In response to Julio Carvajal

ā€Ž07-22-2013 04:06 AM

FW configured as routed , SPAN to Interface "inside" activated .

No packet coming in , Interface count nearly null , capture only a few packets .

SPAN delivers 45 MB /sec .

IĀ“am going to configure the fw as transparent now

Any idea why it is not working ?

Why should the fw let the packets in ?

sincerely Alfred

0 Helpful

Go to solution
Alfred Berberich
Level 1
Level 1

ā€Ž07-31-2013 04:44 AM

Answer from cisco :

If you want to get this working he mentioned to put this on inline mode, as mirroring would make

Duplicate packets and at some point ASA will see this as spoofed packets.

Reason: if you are mirroring the traffic, this means you have duplicate packets going to the ASA. To get the botnet to work,

This traffic needs to have a destination. So now you have legitimate traffic going out and a duplicate packets (which are mirrored)

Also going out. In return of the packets this will be dropped.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Alfred Berberich

ā€Ž07-31-2013 09:47 AM

Hello Alfred,

Exactly, needs to be inline

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/


Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card