https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4264828#M1076930 <P>Hello,</P><P>&nbsp;</P><P>I have an ASA 5545 with Firepower services, In the ASA we have the Service Policy Rule as show:</P><P>From Lan Network to Management Network and viceversa then bypass,</P><P>From any to any then send to the SFR device.</P><P>&nbsp;</P><P>In this case all the trafic that doesn't match the rule is sent to the module for apply internet acces control rules among others.</P><P>My question is:</P><P>When will be applied the Access control Rules created in the ASA? before or after the traffic goes to the SFR? or won't be applied?&nbsp;&nbsp;</P><P>For example: Suppose that the ASA allows the access Https from the Outside Network to Server A, but not to server B.</P><P>What If I have a rule in the SFR where Https traffic is allowed from the Outside to the server A and B?</P><P>Will traffic to the server B allowed?</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>Luigi.&nbsp;</P> Tue, 29 Dec 2020 19:16:42 GMT LuigiDiFronzo9542 2020-12-29T19:16:42Z https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4264828#M1076930 <P>Hello,</P><P>&nbsp;</P><P>I have an ASA 5545 with Firepower services, In the ASA we have the Service Policy Rule as show:</P><P>From Lan Network to Management Network and viceversa then bypass,</P><P>From any to any then send to the SFR device.</P><P>&nbsp;</P><P>In this case all the trafic that doesn't match the rule is sent to the module for apply internet acces control rules among others.</P><P>My question is:</P><P>When will be applied the Access control Rules created in the ASA? before or after the traffic goes to the SFR? or won't be applied?&nbsp;&nbsp;</P><P>For example: Suppose that the ASA allows the access Https from the Outside Network to Server A, but not to server B.</P><P>What If I have a rule in the SFR where Https traffic is allowed from the Outside to the server A and B?</P><P>Will traffic to the server B allowed?</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>Luigi.&nbsp;</P> Tue, 29 Dec 2020 19:16:42 GMT https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4264828#M1076930 LuigiDiFronzo9542 2020-12-29T19:16:42Z https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4264855#M1076932 <P>The ASA access-list will be checked first, then SFR, and then ASA again on the way out.&nbsp; Same principle applies to the FTD.</P> Tue, 29 Dec 2020 20:47:28 GMT https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4264855#M1076932 Marius Gunnerud 2020-12-29T20:47:28Z https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4265366#M1076959 <P>Thank you Marius,</P><P>&nbsp;</P><P>So in the example above, do you mean that traffic from outside to server B should not be allowed?</P><P><BR />Another example: Imagine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,<BR />will the traffic from server BB to the outside be banned?</P><P>&nbsp;</P><P>Thank you</P> Wed, 30 Dec 2020 18:43:18 GMT https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4265366#M1076959 LuigiDiFronzo9542 2020-12-30T18:43:18Z https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4265811#M1076982 <P><STRONG><EM>So in the example above, do you mean that traffic from outside to server B should not be allowed?</EM></STRONG></P> <P><SPAN>That is correct.</SPAN></P> <P><SPAN>I<STRONG><EM>magine that the ASA allows only traffic from server AA in DMZ to the outside, any other access is denied; and the SFR allows traffic from the pool of DMZ servers (including server AA and server BB) to the outside. In this especific case,</EM></STRONG><BR /><STRONG><EM>will the traffic from server BB to the outside be banned?</EM></STRONG></SPAN></P> <P><SPAN>BB will not be allowed if the ASA ingress interface access-list does not allow the traffic.&nbsp; Again, the access-list on the ingress interface will be checked first, then SFR, followed by the ASA egress interface access-list</SPAN></P> Fri, 01 Jan 2021 21:46:46 GMT https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4265811#M1076982 Marius Gunnerud 2021-01-01T21:46:46Z https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4266707#M1077001 <P>Thank you Marius</P> Mon, 04 Jan 2021 22:08:29 GMT https://community.cisco.com/t5/network-security/question-about-sfr-device-bypass/m-p/4266707#M1077001 LuigiDiFronzo9542 2021-01-04T22:08:29Z