cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2095
Views
15
Helpful
5
Replies

ASA Access Rules and ASA Firepower Access Control Rules

tonyk0001
Level 1
Level 1

Dear Team,

 

I hope this finds you well.

 

I need some help so that I can understand something.

What is the relationship between the access rules in the normal ASA and the Firepower access control rules, And if you have both rules contradicting each other, Which one is considered?

 

Regards

 

 

5 Replies 5

Shubham Bharti
Cisco Employee
Cisco Employee

Can you further explain your problem or use some examples? Its hard to figure out if you are talking about one product or two individual products.

 

If you are talking about ASA with Firepower, you need to create ACL on ASA to redirect traffic that you want to send to Firepower and then you create Access Control rule on Firepower to decide what to do with the redirected traffic.

You permit all traffic on ASA using the ACL that you want to inspect with Firepower and deny whatever is not needed to go to Firepower for inspection(such as Backup or Management Traffic). You call this ACL under Policy map.

tonyk0001
Level 1
Level 1

Dear Bharti,

 

I am talking about ASA with Firepower. I mean if I direct the traffic that I want to inspect to the Firepower, Do I still need to control that traffic using normal access rules in the ASA or I will have to use access control rules in the Firepower.

 

What will happen if I configure contradicting rules access rules in the ASA and Access Control Rules in Firepower.

 

Regards

Hi Tonyk,

 

actually both are working separately. you can edit both of them as you want. firepower traffic applies only to the traffic which selected using service policy and enabled firepower inspection. all other traffic using ASA firewall rules. 

 

 

regards,

*** Pls rate all useful responses ***
Good Luck

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

InTheJuniverse
Level 1
Level 1

Tony

 

This is a very common question, so lets start from basics.

 

A Firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules, lets call them Access Lists.

 

So, using ACLs we can ONLY allow or deny traffic, and default action is implicit deny.

 

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows at Application layer, it also can detect and prevent exploits.

 

ASA is a Firewall while Firepower is an IPS. How does ASA and Firepower work together?

 

Suppose in your network, you are allowing the following traffic

 

Inside Network 192.168.0.0/16 can talk to DMZ Network 172.16.0.0/16

Inside Network 192.168.0.0/16 can access Internet.

 

Generally speaking, what traffic would you inspect for malware, viruses etc, Inside to DMZ? No. You would want to inspect traffic coming from, or destined to Internet (outside).

 

Using a special access list on ASA (*1), a certain traffic (in this case, Inside to Outside) will be redirected to Firepower for inspection (remember, nothing to do with allowing or denying that traffic on the network)

 

So, what is Access Control Policy? Traffic from from Inside to Outside has reached Firepower for inspection, ACP kicks in.

 

While an Access Control List can only allow or deny traffic, Access Control Policy can

 

Rule 1 : Deny subnet 192.168.0.0/16 from accessing any SSH connection AND log it

Rule 2 : Allow Subnet 192.168.1.0/24 (*2) to access government URLs AND send it Malware inspection

Rule 3 : Interactively Block (*3) Subnet 192.168.1.0/24 (*2) from accessing Shopping URLs and sent for Malware inspection policy 1

Rule 4 : Deny Subnet 192.168.2.0/24 (*2) from accessing any FTP server and send traffic to Malware inspection policy 2

Rule 5 : Allow Outlook Traffic (192.168.4.0/24) (*2) and send it to 'File Policy' for inspection

 

File Policy could be : If Office files are detected, Block Upload. MP3 files, block. Exe files block AND send for inspection etc

 

Rule 6 : Default Action : Block, Network Discovery, Trust or IPS (MOSTLY, you would NEVER want to use "Block" as default action in an ACP )

 

 

**Important** While an ACL on a Firewall can only allow or deny traffic, ACP's actions are: Allow, Trust (No more inspection), Monitor (logging only), Block, Block with Reset (sent an RST packet), Interactive Block or Interactive Block with Reset

 

 

(*1) You can find it using sh run class-map sfr

(*2) These subnets can only be a part of subset that is being redirected to Firepower, in this case, 192.168.0.0/24, anything else you try, will never be inspected, because the traffic won't even come to FP.

(*3) Interactive Block works as 'Allow'. but gives a warning page before a site is allowed. Warning page "Hello, the website you are accessing is classified as "Shopping", connections to this site are monitored"

tonyk0001
Level 1
Level 1

Hi  @InTheJuniverse

That was really helpful. 

 

Thanks a lot.

 

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: