I hope this finds you well.
I need some help so that I can understand something.
What is the relationship between the access rules in the normal ASA and the Firepower access control rules, And if you have both rules contradicting each other, Which one is considered?
Can you further explain your problem or use some examples? Its hard to figure out if you are talking about one product or two individual products.
If you are talking about ASA with Firepower, you need to create ACL on ASA to redirect traffic that you want to send to Firepower and then you create Access Control rule on Firepower to decide what to do with the redirected traffic.
You permit all traffic on ASA using the ACL that you want to inspect with Firepower and deny whatever is not needed to go to Firepower for inspection(such as Backup or Management Traffic). You call this ACL under Policy map.
I am talking about ASA with Firepower. I mean if I direct the traffic that I want to inspect to the Firepower, Do I still need to control that traffic using normal access rules in the ASA or I will have to use access control rules in the Firepower.
What will happen if I configure contradicting rules access rules in the ASA and Access Control Rules in Firepower.
actually both are working separately. you can edit both of them as you want. firepower traffic applies only to the traffic which selected using service policy and enabled firepower inspection. all other traffic using ASA firewall rules.
*** Pls rate all useful responses ***
This is a very common question, so lets start from basics.
A Firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules, lets call them Access Lists.
So, using ACLs we can ONLY allow or deny traffic, and default action is implicit deny.
An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.
ASA is a Firewall while Firepower is an IPS. How does ASA and Firepower work together?
Suppose in your network, you are allowing the following traffic
Inside Network 192.168.0.0/16 can talk to DMZ Network 172.16.0.0/16
Inside Network 192.168.0.0/16 can access Internet.
Generally speaking, what traffic would you inspect for malware, viruses etc, Inside to DMZ? No. You would want to inspect traffic coming from, or destined to Internet (outside).
Using a special access list on ASA (*1), a certain traffic (in this case, Inside to Outside) will be redirected to Firepower for inspection (remember, nothing to do with allowing or denying that traffic on the network)
So, what is Access Control Policy? Traffic from from Inside to Outside has reached Firepower for inspection, ACP kicks in.
While an Access Control List can only allow or deny traffic, Access Control Policy can
Rule 1 : Deny subnet 192.168.0.0/16 from accessing any SSH connection AND log it
Rule 2 : Allow Subnet 192.168.1.0/24 (*2) to access government URLs AND send it Malware inspection
Rule 3 : Interactively Block (*3) Subnet 192.168.1.0/24 (*2) from accessing Shopping URLs and sent for Malware inspection policy 1
Rule 4 : Deny Subnet 192.168.2.0/24 (*2) from accessing any FTP server and send traffic to Malware inspection policy 2
Rule 5 : Allow Outlook Traffic (192.168.4.0/24) (*2) and send it to 'File Policy' for inspection
File Policy could be : If Office files are detected, Block Upload. MP3 files, block. Exe files block AND send for inspection etc
Rule 6 : Default Action : Block, Network Discovery, Trust or IPS (MOSTLY, you would NEVER want to use "Block" as default action in an ACP :) :) )
**Important** While an ACL on a Firewall can only allow or deny traffic, ACP's actions are: Allow, Trust (No more inspection), Monitor (logging only), Block, Block with Reset (sent an RST packet), Interactive Block or Interactive Block with Reset
(*1) You can find it using sh run class-map sfr
(*2) These subnets can only be a part of subset that is being redirected to Firepower, in this case, 192.168.0.0/24, anything else you try, will never be inspected, because the traffic won't even come to FP.
(*3) Interactive Block works as 'Allow'. but gives a warning page before a site is allowed. Warning page "Hello, the website you are accessing is classified as "Shopping", connections to this site are monitored"