topic If you use that ACL, remember in Network Security

ASA with FP module Upgrade and add to FMC

johnlloyd_13 — Tue, 12 Mar 2019 09:23:45 GMT

hi all,

i was asked to deploy ASA with FP in our environment.

could some advice a summary of steps or point me to a primer doc (or video) to upgrade both ASA (5525-x) with FP module/image and add them to FMC?

any caveats i need to know, i.e. OS compatibility matrix, initial commands to put (redirect), etc.

The compatibility guide is

Marvin Rhoads — Sun, 21 May 2017 07:43:47 GMT

The compatibility guide is here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

The quick start guide covers most everything you need to get setup:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

Bottom line is you should make sure your FMC is at the current release (6.2.0 or later) and then image the module on the ASA to 6.2, making sure your ASA software is first at 9.5(2)+.

Get everything registered and then setup and deploy your policies from FMC.

hi marvin,

johnlloyd_13 — Thu, 01 Jun 2017 05:20:18 GMT

hi marvin,

i've checked some of our 5525-X and observed some have s2s ipsec VPNs and others got anyconnect VPN.

do i add a 'deny' lines to exclude VPN traffic from FP inspection?

or are they already denied/excluded since they're ISAKMP/UDP 500 traffic and not IP?

or is there a policy in FMC we can create to exclude the said VPN traffic?

access-list SFR_ACL extended permit ip any any

class-map SFR_CMAP
match SFR_ACL

policy-map global_policy
class SFR_CMAP
sfr fail-open

The UDP traffic runs over IP

Marvin Rhoads — Thu, 01 Jun 2017 06:18:04 GMT

The UDP traffic runs over IP so it would have to be called out separately. Here is what I've used to block IPsec VPN traffic where the decryption is downstream from the ASA:

access-list sfr_redirect extended deny udp any any eq 500 
access-list sfr_redirect extended deny udp any any eq 4500
access-list sfr_redirect extended deny esp any any 
access-list sfr_redirect extended permit ip any any

Where the IPsec is being terminated on the ASA, I believe the FirePOWER inspection occurs pre-decryption so that should work there as well.

AnyConnect is generally SSL VPN (although it does support IKEv2 IPsec), so you might have a challenge exempting that without also exempting trffic that you wish to inspect. (Even without decrypting SSL there is some utiilty in inspecting the flows.)

EDIT - updated to include the udp/500 traffic.

hi marvin,

johnlloyd_13 — Thu, 01 Jun 2017 06:18:05 GMT

hi marvin,

shouldn't ISAKMP UDP 500 be included on the deny ACE? i believe UDP 4500 is for NAT-T.

access-list sfr_redirect extended deny udp any any eq 500
access-list sfr_redirect extended deny udp any any eq 4500
access-list sfr_redirect extended deny esp any any
access-list sfr_redirect extended permit ip any any

for anyconnect since it's SSL encrypted, so it won't be identified as IP traffic? is my assumption correct? no need for an ACE?

Yes - sorry I missed that

Marvin Rhoads — Thu, 01 Jun 2017 06:19:35 GMT

Yes - sorry I missed that line in pulling a snippet from my template via cut and paste.

I updated my reply to correct that.

marvin,

johnlloyd_13 — Thu, 01 Jun 2017 06:43:56 GMT

marvin,

thanks for the correction!

how about anyconnect VPN traffic? do i need to add an ACE using private IP LAN-to-LAN (S2S subnet)? or create an identity NAT for the source subnet used for S2S VPN?

i just don't want anyconnect VPN traffic to be inspected and just bypass FP module.

hi marvin,

johnlloyd_13 — Thu, 03 Aug 2017 04:33:29 GMT

hi marvin,

i've got a site with ASA FP and use the FW as the anyconnect RA VPN GW.

do i do the same deny ACL above or deny the IP subnet based on the RA DHCP POOL subnet?

or it doesn't matter since it's SSL encrypted and permit ip any any won't be able to inspect it?

That's a good question - I'm

Marvin Rhoads — Thu, 03 Aug 2017 10:38:08 GMT

That's a good question - I'm not positive on the answer. It's not quite clear to me where along the packet processing path of the ASA decryption takes place.

Even when we do a packet-tracer of an SSL VPN flow to an internal resource, the SSL decrypt does not show up. There is a good one illustrated in Pete Long's blog here:

https://www.petenetlive.com/KB/Article/0001298

We do see the policy map is at Phase 4. There is a "VPN" at phase 8 but that indicates ipsec not ssl.

I will ask around to see if I can get a better answer.

hi marvin,

johnlloyd_13 — Thu, 03 Aug 2017 14:18:31 GMT

hi marvin,

i do have the identity NAT for the RA pool subnet.

i have prepared this FP redirect ACL just to make sure FP module doesn't inspect or take any action on the anyconnect traffic.

access-list FP-REDIRECT extended deny ip 172.30.5.0 0.0.0.255 any
access-list FP-REDIRECT extended deny ip any 172.30.5.0 0.0.0.255
access-list FP-REDIRECT extended permit ip any any

or is above FP ACL a bit of an 'overkill'?

i'll read on the link you gave me and would appreciate if you could advise on this. otherwise i would go for a TAC route 🙂

If you use that ACL, remember

Marvin Rhoads — Thu, 03 Aug 2017 15:31:04 GMT

If you use that ACL, remember that ASA access list masks are not inverse like router ACL subnet masks. So a /24 would be 255.255.255.0.

I'd check with TAC to be sure of the impact (or need).

sure. i'll make a quick check

johnlloyd_13 — Thu, 03 Aug 2017 15:36:47 GMT

sure. i'll make a quick check with TAC.

i typed the ACL on the fly and forgot it's normal mask on ASA, my bad 🙂