08-15-2019 12:07 PM - edited 02-21-2020 09:24 AM
I'm running FMC 6.2.3.14 on 18 ASA devices.
I have disabled SIP inspection on my ASA devices, but how do I do this in the firepower policies?
I'm assuming the sfr policy on the asa routes all traffic through the firepower module, which means that firepower is looking at SIP. this is what i would like to disable.
any help would be appreciated.
here's the relevant part of my running config from my ASA if needed
access-list sfr_redirect extended permit ip any any
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
class-map netflow
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect rsh
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
class sfr
sfr fail-open
class netflow
flow-export event-type all destination 192.168.x.x
class class-default
set connection decrement-ttl
user-statistics accounting
Solved! Go to Solution.
08-16-2019 06:53 AM
Ah - sorry I was writing the procedure for an FTD device. Flexconfigs do not apply to ASA Firepower service modules (sfr). That's why you don't see them as an available policy target.
The sfr module should not be inspecting SIP traffic for protocol conformance as that function would be handled (or bypassed as it would be in your case) by the associated ASA software.
08-15-2019 09:04 PM - edited 08-15-2019 09:08 PM
In a Firepower service module managed by FMC you can do this via Flexconfig. Create a Flexconfig object and enter these commands:
policy-map global_policy class inspection_default no inspect sip
Then bind this Flex object to Flex Policy and deploy.
If you are using ASDM management, you cannot change this inspection since Flexconfig is not supported with ASDM.
If you are running FTD, this is one of the few things that can be changed via cli:
> show running-config | begin global_policy policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error class class-default set connection advanced-options UM_STATIC_TCP_MAP set connection decrement-ttl ! service-policy global_policy global service-policy policy_map_Inside-Lab interface Inside-Lab prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily snort preserve-connection Cryptochecksum:aa16121921d798a166b3f53cb302b677 : end > > configure inspection sip disable Building configuration... Cryptochecksum: 077fc587 091d47b6 e43a3da9 567421df 16047 bytes copied in 0.70 secs [OK] > show running-config | begin global_policy policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error class class-default set connection advanced-options UM_STATIC_TCP_MAP set connection decrement-ttl ! service-policy global_policy global service-policy policy_map_Inside-Lab interface Inside-Lab prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily snort preserve-connection Cryptochecksum:077fc587091d47b6e43a3da9567421df : end >
08-16-2019 05:57 AM
Thank you.
I'm running FMC.
I added a no_sip object and added the commands you mentioned.
then I created a disable sip Policy and appended the object to it.
When I click on policy assignments, none of my firepower devices are listed. so I can't depoly.
did I miss a step? I haven't used flex config at all before so maybe I'm missing something here.
08-16-2019 06:53 AM
Ah - sorry I was writing the procedure for an FTD device. Flexconfigs do not apply to ASA Firepower service modules (sfr). That's why you don't see them as an available policy target.
The sfr module should not be inspecting SIP traffic for protocol conformance as that function would be handled (or bypassed as it would be in your case) by the associated ASA software.
08-16-2019 07:21 AM
Thanks for your help.
I just needed to verify that SIP was not inspected.
since the ASA says no inspect sip, I just wanted to make sure that the firepower module was following suit.
thank you for your help again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: