topic Nested Access Control Policy on FTD 6.2.2 in Network Security https://community.cisco.com/t5/network-security/nested-access-control-policy-on-ftd-6-2-2/m-p/3308206#M1064671 <P>Hi;</P> <P>I have a ASA 5515-x FTD 6.2.2 and FMC. I created an access control policy based on a parent policy on which, I trusted a traffic to/from my mgmt PC on parent policy and then I added some rules to child policy. I saved and deployed to my FTD device but despite FMC says the Parent Policy (which includes a child policy) is up-to-date on all targeted devices, but while inspecting through ASA FTD CLI, I cannot see any child rules; there is just Parent Policy listed in the running-configuration.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ftd1.jpg" style="width: 700px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6006i7C872A03F9224B40/image-size/large?v=v2&amp;px=999" role="button" title="ftd1.jpg" alt="ftd1.jpg" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ftd1.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6009iBB276ED3F107D72D/image-size/large?v=v2&amp;px=999" role="button" title="ftd1.jpg" alt="ftd1.jpg" /></span></P> <P>&nbsp;</P> <P>and here is the CLI output on TFPD device:</P> <PRE>access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 9998 access-list CSM_FW_ACL_ remark rule-id 268435460: ACCESS POLICY: TPARENT-POLICY - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435460: L7 RULE: Timaz-PC-Anywhere-Rule access-list CSM_FW_ACL_ advanced permit ip object TIMAZ-PC any rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435459: ACCESS POLICY: TPARENT-POLICY - Default access-list CSM_FW_ACL_ remark rule-id 268435459: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268435459 event-log flow-start </PRE> <P>&nbsp;</P> <P>as a result, the rules inside child policy don't run. Do I need to do something for the child policy to take effect?</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:06:13 GMT ciscoworlds 2020-02-21T15:06:13Z Nested Access Control Policy on FTD 6.2.2 https://community.cisco.com/t5/network-security/nested-access-control-policy-on-ftd-6-2-2/m-p/3308206#M1064671 <P>Hi;</P> <P>I have a ASA 5515-x FTD 6.2.2 and FMC. I created an access control policy based on a parent policy on which, I trusted a traffic to/from my mgmt PC on parent policy and then I added some rules to child policy. I saved and deployed to my FTD device but despite FMC says the Parent Policy (which includes a child policy) is up-to-date on all targeted devices, but while inspecting through ASA FTD CLI, I cannot see any child rules; there is just Parent Policy listed in the running-configuration.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ftd1.jpg" style="width: 700px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6006i7C872A03F9224B40/image-size/large?v=v2&amp;px=999" role="button" title="ftd1.jpg" alt="ftd1.jpg" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ftd1.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/6009iBB276ED3F107D72D/image-size/large?v=v2&amp;px=999" role="button" title="ftd1.jpg" alt="ftd1.jpg" /></span></P> <P>&nbsp;</P> <P>and here is the CLI output on TFPD device:</P> <PRE>access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 9998 access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 9998 access-list CSM_FW_ACL_ remark rule-id 268435460: ACCESS POLICY: TPARENT-POLICY - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435460: L7 RULE: Timaz-PC-Anywhere-Rule access-list CSM_FW_ACL_ advanced permit ip object TIMAZ-PC any rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435459: ACCESS POLICY: TPARENT-POLICY - Default access-list CSM_FW_ACL_ remark rule-id 268435459: L4 RULE: DEFAULT ACTION RULE access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268435459 event-log flow-start </PRE> <P>&nbsp;</P> <P>as a result, the rules inside child policy don't run. Do I need to do something for the child policy to take effect?</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:06:13 GMT https://community.cisco.com/t5/network-security/nested-access-control-policy-on-ftd-6-2-2/m-p/3308206#M1064671 ciscoworlds 2020-02-21T15:06:13Z Re: Nested Access Control Policy on FTD 6.2.2 https://community.cisco.com/t5/network-security/nested-access-control-policy-on-ftd-6-2-2/m-p/3308218#M1064672 Hi;<BR /><BR />I resolved the issue by myself! I assigned parent policy directly to the FTD device, thought that it should contain child policies too. But I was wrong; the opposite is true. The child policy should be assigned to FTD device which inherits parent policy too. Tue, 09 Jan 2018 11:33:32 GMT https://community.cisco.com/t5/network-security/nested-access-control-policy-on-ftd-6-2-2/m-p/3308218#M1064672 ciscoworlds 2018-01-09T11:33:32Z