https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015549#M30291 <P>is there a specific reason for that you want to turn off the sfr inspection on the interface? I am not aware if you can do on the interface however there is another way you can do with access-list.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>class-map SFR-CLASS<BR />match access-list SFR<BR />!</P> <P>policy-map global_policy<BR />class inspection_default</P> <P>class SFR-CLASS<BR />sfr fail-open!<BR />access-list SFR extended deny 192.168.10.0 255.255.255.0 <STRONG>(let say,this is the interface you want to exempt from inspection)</STRONG><BR />access-list SFR extended permit ip any any</P> Tue, 21 Jan 2020 18:12:26 GMT Sheraz.Salim 2020-01-21T18:12:26Z https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015534#M30279 <P>&nbsp;</P><P>Is there a way to turn off SFR on a single interface of an ASA?</P><P>&nbsp;</P> Tue, 21 Jan 2020 17:50:04 GMT https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015534#M30279 Greg Biettler 2020-01-21T17:50:04Z https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015549#M30291 <P>is there a specific reason for that you want to turn off the sfr inspection on the interface? I am not aware if you can do on the interface however there is another way you can do with access-list.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>class-map SFR-CLASS<BR />match access-list SFR<BR />!</P> <P>policy-map global_policy<BR />class inspection_default</P> <P>class SFR-CLASS<BR />sfr fail-open!<BR />access-list SFR extended deny 192.168.10.0 255.255.255.0 <STRONG>(let say,this is the interface you want to exempt from inspection)</STRONG><BR />access-list SFR extended permit ip any any</P> Tue, 21 Jan 2020 18:12:26 GMT https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015549#M30291 Sheraz.Salim 2020-01-21T18:12:26Z https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015560#M30309 The specific reason that we want to turn off sfr inspection on our Public interface is we're having issues with a VPN tunnel running through that interface.<BR />We currently have issues with a vendor that want's to set up VPN L2L tunnel through our Public outgoing interface. The tunnel comes up &amp; it passes windows traffic (they can get to their window shares) but it doesn't pass port 80 &amp; 443 traffic.<BR />The thought process is too turn the SFR module on our Public interface to see if deep packet inspection is causing this issue.<BR /><BR /> Tue, 21 Jan 2020 18:23:48 GMT https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015560#M30309 Greg Biettler 2020-01-21T18:23:48Z https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015577#M30325 <P>oh i see make sense. have to check the logs on the firepower if its blocking the traffic. what are the intrusion policyyou using in your network. ideally you must use as <SPAN class="st"><EM>Balanced Security</EM> and <EM>Connectivity</EM></SPAN>. you can use the access-list as i have mentioned earlier. or the other way is in firepower console ( are you using FMC or ASDM to manage your box) in both case go into access control policy and the address you think are creating problem. create a new acl in fmc/asdm of firepower and put them as <STRONG>Trust. </STRONG>prior to make them trust make sure they are define in discovery policy.</P> <P>having said that you have two option either do as access-list on the ASA code (as mentioned previous) or do it in Firepower setting (FMC or ASDM Firepower GUI).</P> <P>&nbsp;</P> Tue, 21 Jan 2020 18:48:36 GMT https://community.cisco.com/t5/network-security/turning-off-sfr-on-a-single-interface/m-p/4015577#M30325 Sheraz.Salim 2020-01-21T18:48:36Z