cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2608
Views
2
Helpful
34
Replies

access rules firepower 1010

BornJames
Level 1
Level 1

Hi team,

have a question regarding access rules.

how come if any any eveyrhting works fine.

however when i want to allow lets say connect to facebook, and everything else disable 

so i put source(inside) network(any-ipv4) ports(any) destination(outside_zone) network(FQDN facebook.com) ports (any)

so now I should have connection only to facebook, however no connection at all.

 

34 Replies 34

How the internal endpoints resolve facebook.com? Is that via an internal DNS server or an external one? In case you are using internal DNS, is that internal DNS server able to resolve facebook.com? Also, is the firewall able to actually resolve that FQDN? and is the firewall and the endpoints are resolving to the same IP? If not the firewall might drop the traffic if the IP addresses don't match.

Hello Aref,

the DNS resolvers is the external ones.

when you say firewall able to resolve that FQDN do you mean when i do it via cli ?

becuase when i do it via CLI like this ping system facebook.com  it doesnt work 

Yes, to verify the firewall resolution you can try with the command "sh dns" from LINA CLI, or you can use the command "sh access-list < the ACL name>" and look at the rule where you defined the FQDN. If you are running an FTD code then you can type the command "support system diagnostic-cli" from the CLISH mode (>) and then type "enable" and hit enter with no password, that will take you to LINA CLI which is basically the ASA CLI.

Hi Aref,

I dont have these commands "sh dns" "invalid command at ^ dns"

I did find an article on troubleshooting the DNS, but was surprised that I cannot run these commands

Would you mind sending the screenshot from where you are trying to apply them?

i have tried through here 

BornJames_0-1688983308995.png

when running via the gui clie i get "this command is not supported"

as well as via putty

when via putty 

testfirepower# sh dns

% Invalid Command at '^' marker

 

the (>) is what so called CLISH mode, those commands can't be run from there, however, it should have worked via the SSH connection. Did you try to issue the other command "sh access-list < the ACL name>"?, also, if you run the command "sh run dns" do you see any configuration output?

im not connected via ssh but console.

I am wondering could this be becuase the license is not enabled yet ?

we havent registered the device yet

I don't believe applying the licenses would affect at least the DNS configuration. How did you get to this mode "testfirepower# " from the console? did you have to move from the CLISH mode (>) using the command "support system diagnostic-cli"? if not you might be on the FXOS line rather than LINA.

we just have a console cable connected to the firewall and when I use putty to connect to it, it asks crednetials and thats it im in testfirepower# " mode 

didnt have to use anything

ok then I believe you are in FXOS mode. When you are on "testfirepower#" try please to type "connect ftd", and then "support system diagnostic-cli" and then "enable" and hit enter with no password and finally issue the above commands please.

Hello Aref,

It did allow me to enter the connect ftd, i got to ">" mode but when trying to enter support system diagnostic-cli it doenst let me , cnanot push space between the words or even push enter when entering just support

Apologies, that was my bad, I did invert the first two words. The command should be "system support diagnostic-cli".

yeh I have tried that, it doesnt allow me to push enter on anything, it lets you enter it but when I push enter the command just stays and nothing changes 

Review Cisco Networking for a $25 gift card