old answer from old cisco ticket , I hope it is helpfull
I consulted one of our senior engineers on this issue. His statement is this is a wrong design. If you want to get this working he mentioned to put this on inline mode, as mirroring would make Duplicate packets and at some point ASA will see this as spoofed packets. Reason: if you are mirroring the traffic, this means you have duplicate packets going to the ASA. To get the botnet to work, This traffic needs to have a destination. So now you have legitimate traffic going out and a duplicate packets (which are mirrored) Also going out. In return of the packets this will be dropped.
I still have not close the case, as you mentioned at the time the show tec was taken the SPAN configuration Was not applied. What we saw there were input data as well as output(for the last 5min there was not any). The ASA will only drop the packet if it’s either
1) Receive a packet on different interface e.g packet exit from OUTSIDE interface and received on the DMZ interface (spoofing) 2) Packet arrives on the INSIDE interface but without any destination, ASA does not have route to the destination
Hence the suggestion to place the ASA on inline mode, so there is only 1 inbound and 1 outbound traffic
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...