cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


497
Views
0
Helpful
1
Replies
Highlighted
Enthusiast

Nested Access Control Policy on FTD 6.2.2

Hi;

I have a ASA 5515-x FTD 6.2.2 and FMC. I created an access control policy based on a parent policy on which, I trusted a traffic to/from my mgmt PC on parent policy and then I added some rules to child policy. I saved and deployed to my FTD device but despite FMC says the Parent Policy (which includes a child policy) is up-to-date on all targeted devices, but while inspecting through ASA FTD CLI, I cannot see any child rules; there is just Parent Policy listed in the running-configuration. 

 

 

ftd1.jpg

 

ftd1.jpg

 

and here is the CLI output on TFPD device:

access-list CSM_FW_ACL_ remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy
access-list CSM_FW_ACL_ remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 9998 
access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 9998 
access-list CSM_FW_ACL_ advanced permit gre any any rule-id 9998 
access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 9998 
access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 9998 
access-list CSM_FW_ACL_ remark rule-id 268435460: ACCESS POLICY: TPARENT-POLICY - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435460: L7 RULE: Timaz-PC-Anywhere-Rule
access-list CSM_FW_ACL_ advanced permit ip object TIMAZ-PC any rule-id 268435460 
access-list CSM_FW_ACL_ remark rule-id 268435459: ACCESS POLICY: TPARENT-POLICY - Default
access-list CSM_FW_ACL_ remark rule-id 268435459: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268435459 event-log flow-start 

 

as a result, the rules inside child policy don't run. Do I need to do something for the child policy to take effect?

 

1 REPLY 1
Enthusiast

Re: Nested Access Control Policy on FTD 6.2.2

Hi;

I resolved the issue by myself! I assigned parent policy directly to the FTD device, thought that it should contain child policies too. But I was wrong; the opposite is true. The child policy should be assigned to FTD device which inherits parent policy too.