https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083340#M136158 <P>Ok,</P> <P></P> <P>So now i'm facing another issue.</P> <P>I configured a remote vpn, cisco anyconnect, but the traffic goes trough my firewall rules, I mean, nothing is dropped, everything passes to my local interface.</P> <P>What am I missing?</P> Wed, 26 Apr 2017 15:28:50 GMT mproenca2014 2017-04-26T15:28:50Z https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083338#M136152 <P>Hi you all,</P> <P></P> <P>Where do I implement firewall rules in a Cisco Asa with Firepower?</P> <P>Is it in Asa Module or Firepower Module?</P> <P></P> <P>Thanks</P> Tue, 12 Mar 2019 09:16:41 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083338#M136152 mproenca2014 2019-03-12T09:16:41Z https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083339#M136155 <P>In the ASA.</P> Wed, 26 Apr 2017 14:46:01 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083339#M136155 Collin Clark 2017-04-26T14:46:01Z https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083340#M136158 <P>Ok,</P> <P></P> <P>So now i'm facing another issue.</P> <P>I configured a remote vpn, cisco anyconnect, but the traffic goes trough my firewall rules, I mean, nothing is dropped, everything passes to my local interface.</P> <P>What am I missing?</P> Wed, 26 Apr 2017 15:28:50 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083340#M136158 mproenca2014 2017-04-26T15:28:50Z https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083341#M136162 <P>By default that is the correct behavior. If you need to restrict access then you will have to create an ACL.</P> <P>http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6</P> Wed, 26 Apr 2017 15:46:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083341#M136162 Collin Clark 2017-04-26T15:46:58Z https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083342#M136167 <P>That's correct.</P> <P>And I created a rule for all interfaces denying everything.</P> <P>Any to Any Deny.</P> <P></P> <P>access-list INSIDE_access_in extended deny ip any any</P> <P>access-list ART_access_in_1 extended deny ip any any</P> <P>access-list NOS_access_in extended deny ip any any</P> <P></P> <P>But still working. I cannot see what's missing.</P> Wed, 26 Apr 2017 15:55:45 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083342#M136167 mproenca2014 2017-04-26T15:55:45Z https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083343#M136172 <P>My first comment is that you show us access list configuration but do not show us how the access lists are applied and how they are applied is critical to whether they work or not.</P> <P></P> <P>But the really important comment is that for AnyConnect the normal behavior is that access lists on interfaces do not evaluate or control AnyConnect VPN traffic. The expected behavior is that anything that comes into the ASA via AnyConnect will be allowed to pass through the ASA. If you want to control VPN traffic you should look into using VPN filters.</P> <P></P> <P>HTH</P> <P></P> <P>Rick</P> Wed, 26 Apr 2017 20:52:09 GMT https://community.cisco.com/t5/network-security/cisco-asa-firepower/m-p/3083343#M136172 Richard Burts 2017-04-26T20:52:09Z