Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
0
Helpful
2
Replies

Question about ASA ACL Redirect to Firepower

Go to solution
klanard
Level 1
Level 1

‎05-15-2017 11:19 AM - edited ‎03-12-2019 02:22 AM

I have a client with ASA multicontext firewall running with Firepower 6.1 in it.  They have limited bandwidth for Firepower on it with multiple 10 gig lines so they are restricting which traffic gets redirected to Sourcefire Module for fiiltering. They are trying to keep those ACLs as simple as possible, and are seeing results they arent  totally happy with. Question is:

If you redirect specific traffic to the sourcefire based on an ACL associated with a service-policy per-interface, do those ACLs need to be bidirectional? What they are seeing for example is Inside-DMZ not getting redirected but the return traffic from DMZ-Inside on the same TCP session is getting redirected.  Is that redirection bidirectional per-interface? Do they need an ACL that would  say

permit Inside to Servers

permit Servers to Inside

on the same ACL if that policy was a class-map SFR for service-policy on the interface Inside?

Right now they just have "inside to Servers" and are still seeing redirects from "Servers to Inside", reportedly on same interface. I know its easy to test but wanted to ask the forum if that is the correct config method to use bidirection ACL on a specific interface policy for redirection to SFR module?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎05-16-2017 07:19 AM

You will need to define both directions in the ACL. Even though the ASA is stateful, the traffic that gets sent to SFR is not.

HTH

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎05-16-2017 07:19 AM

You will need to define both directions in the ACL. Even though the ASA is stateful, the traffic that gets sent to SFR is not.

HTH

0 Helpful

Go to solution
klanard
Level 1
Level 1
In response to Collin Clark

‎05-16-2017 07:58 AM

Thanks for verfying. Just wanted to be certain.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card