topic Hi Vaibhav, in Network Security

Cisco Firepower configuration through ASDM

vaibhav58 — Tue, 12 Mar 2019 13:03:27 GMT

Hi,

I was trying to configure Cisco Firepower URL filtering through ASDM.

However I am trying to create access policy through ASDM but i am getting confused about the next steps. Please find the attached screenshot.

Where to go next?

Regards

Vaibhav

Hi Vaibhav,

yogdhanu — Sun, 03 Jul 2016 06:13:23 GMT

Hi Vaibhav,

You don't need to create new access control policy. Edit the default policy and then inside that policy, create rules.

only 1 access control policy will be applied to the device at one time.

Inside the access control policy, you can create rules based on category or custom URL.

Please check this article.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117956-technote-sourcefire-00.html

Though this is for firesight but the rule creation process is same in ASDM as well.

Rate if helps.

Yogesh

Thanks Yogesh.

vaibhav58 — Sun, 03 Jul 2016 14:20:53 GMT

Thanks Yogesh.

I was able to create a access policy. I created a standard rule to block social network websites but the access still goes through, i cannot see any traffic on my firepower logging monitor.

I do have the commands on my asa to redirect traffic to firepower:

EFC-FW# sh run | in sfr
access-list sfr_redirect extended permit ip any any
class-map sfr
match access-list sfr_redirect
class sfr
sfr fail-open
EFC-FW#

Please let me know what i am missing!! Awaiting your reply

Thanks in advance.

Regards

Vaibhav

Hi,

vaibhav58 — Sun, 03 Jul 2016 16:07:49 GMT

Hi,

I am getting this message in my logs:

SFR requested ASA to bypass further packet redirection and process TCP flow from inside

Any idea on this.

Regards

Vaibhav

Hi Vaibhav,

ankojha — Mon, 04 Jul 2016 05:03:12 GMT

Hi Vaibhav,

You might want to check this video regarding url filtering and see if the settings match :

https://www.youtube.com/watch?v=nXIBDQqekPY

Looks like in your case , the correct policy is not getting hit.

Just check the video for a bit of troubleshooting and let us know if it helps.

Please rate and mark helpful posts.

Thanks,

Ankita

HI Ankita,

vaibhav58 — Mon, 04 Jul 2016 08:08:34 GMT

HI Ankita,

This video of yours was the first i watched to get into this further. Thanks for it.

I am now able to block URL objects but not via category. Looks like i have an issue for my SFR module not able to connect to internet. For some reason , i was not able to ssh into my sfr module after getting into ASA, although it was working earlier.

I did found that HTTPS port need to be openend bidirectionally for updates to work. I have it opened to any to outside but none for inbound.

What IP address does the SFR module takes to connect to the internet ? Is it management IP? What IP address i use to open a rule for inbound HTTP/HTTPS for this.

Thanks in advance.

Regards

Vaibhav

Hello Team ,

Jetsy Mathew — Mon, 04 Jul 2016 08:15:04 GMT

Hello Team ,

For all the url filtering updates to be work, you have to open the following ports in the Firewall:-

Uses port 443 (bidirectional)
Uses port 80 (inbound)

Refer the following link to verify if you met all the requirements for the URL filtering to work.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Communication-Ports.html

Rate if the post helps you

Regards

Jetsy

Hi Jetsy, thanks for the

vaibhav58 — Mon, 04 Jul 2016 08:49:36 GMT

Hi Jetsy, thanks for the reply. I am using ASDM and thus having trouble for URL updates.

Can you please advise what access list i need to make for inbound https.

What interface does the firepower module uses for its outbound connection to internet?

Thanks

Regards

Vaibhav

Hi Vaibhav,

ankojha — Tue, 05 Jul 2016 06:41:45 GMT

Hi Vaibhav,

The sfr module uses its management ip for going out to internet so make sure

the default which you are assigning to sfr module is able to reach internet.

You can allow all access to and fro for the management ip of sfr module.

rate if it helps.

Thanks,

Ankita

Hi Ankita,

vaibhav58 — Tue, 05 Jul 2016 11:30:39 GMT

Hi Ankita,

thanks for the info, i will try this and let you know the updates.

Is this not a security issue to open access to the module from outside.

My management IP of the module is 192.168.10.2.Since i need bidirectional, i would require a static NAT bidirectional.

One more thing , when i click on URL category update and check logs on ASDM i do not see any traffic from 192.168.10.2. This is the reason I wanted to check which IP address firepower uses.

Also , are you aware of any list of IP Address to allow from outside. I am reluctant to open any .I saw this from another document:

Domain: support.sourcefire.com
URL: https://support.sourcefire.com
Port: 443/tcp (bidirectional)
IP Address: 50.19.123.95, 50.16.210.129

Additional IP Addresses that are also used by the support.sourcefire.com (in round robin method) are:

54.221.210.248
54.221.211.1
54.221.212.60
54.221.212.170
54.221.212.241
54.221.213.96
54.221.213.209
54.221.214.25
54.221.214.81

thanks in advance.

regards

Vaibhav

HI Ankita,

vaibhav58 — Tue, 05 Jul 2016 21:05:39 GMT

HI Ankita,

The issue is now resolved. There was a DNS issue. DNS server was configured and the process has to be restarted.

No inbound connection was needed.

Thanks for alll the help!!

Really appreciated.

Regards

Vaibhav

Re: Hi,

pro_engineering — Mon, 29 Jul 2019 17:52:31 GMT

Have you heard back anything on this?

Re: Hi,

Marvin Rhoads — Tue, 30 Jul 2019 03:33:31 GMT

@pro_engineering this is a 3 year old thread. Please open a new discussion if you have current questions.