cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

317
Views
0
Helpful
4
Replies
Highlighted
Beginner

Firepower 4100 ACP rule not working?

Hi,


I have rule 23 that allows all private IP address (IPv4 RFC1918 group object) to use ICMP and use TCP port 49 for TACACS+ to a specific IP (let's say 10.10.10.31). This rule seems not to work as I get the below result from a packet tracer on the FMC. It seems like the private IPs don't get allowed by rule 23 and continue down until they hit the default deny deny statement at the end. What could I be missing or what could be causing this?


Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434438 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268434438: ACCESS POLICY: NAP10-Access-Policy - Default
access-list CSM_FW_ACL_ remark rule-id 268434438: L4 RULE: Default Policy
Additional Information:

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Firepower 4100 ACP rule not working?

NSFD_TCP is the name Firepower has when you search TCP port 49.  Before that I used just the manual port 49.  I with the help of TAC I fixed the issue.  It was asymmetric routing.  Traffic was coming to target device bypassing the Firepower and then the target device would send traffic back  through the Firepower.  Because Firepower didn't see the requests coming in, it was dropping the return traffic.

4 REPLIES 4
Hall of Fame Master

Re: Firepower 4100 ACP rule not working?

Can you share the ACP rule that you intend to catch the traffic?

Beginner

Re: Firepower 4100 ACP rule not working?

I've attached a snip of it to my first post. Not sure if there is a way to export a text example.
Hall of Fame Master

Re: Firepower 4100 ACP rule not working?

The destination ports in your ACP rule are the object "NSFD_TCP". Only traffic matching the ports in that service-group will be caught by that rule.

Beginner

Re: Firepower 4100 ACP rule not working?

NSFD_TCP is the name Firepower has when you search TCP port 49.  Before that I used just the manual port 49.  I with the help of TAC I fixed the issue.  It was asymmetric routing.  Traffic was coming to target device bypassing the Firepower and then the target device would send traffic back  through the Firepower.  Because Firepower didn't see the requests coming in, it was dropping the return traffic.