Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
4
Replies

ASA 5500-x Firepower Configuration

ragulan_dms
Level 1
Level 1

‎10-29-2017 06:34 AM - edited ‎02-21-2020 06:35 AM

Hi Guys,

 

I want to check on how to redirect the ASA traffic into firepower for IPS and AMP. Current ASA global policy match the default-inspection-traffic. I suppose this does not match all traffic. Hence wondering  what the general best practice for configuring service policy in ASA to enable the ASA Firepower inspection ? Meaning to say, Should I use the current global policy as it is or should I  modify the current global policy match to any any instead of default-inception-traffic ? 

 

Regards

Ragulan

 

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-29-2017 07:19 AM

Best practice varies according to what you are trying to inspect.

 

Many organizations match all and inspect that but if you have specific traffic you need to target then yours would be different.

 

Also if you have, for instance, a significant amount of traffic that you trust (like IPsec going to a termination point inside your network) then you would exempt that from inspection.

0 Helpful

johnd2310
Level 8
Level 8

‎10-29-2017 05:45 PM

Hi,

You can use the global  policy as follows:

-Identify the traffic that you need to send to the IPS module.

-create a class-map for access-list

-apply the class-map under the global policy-map

 

access-list IPS extended permit ip any any

class-map IPS-TRAFFIC-CLASS
 description Traffic for IPS Processing
 match access-list IPS

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect snmp
class IPS-TRAFFIC-CLASS
  sfr fail-open

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

ragulan_dms
Level 1
Level 1
In response to johnd2310

‎11-01-2017 06:37 PM

Thanks John and Melvin. This means , for example, ftp traffic will go through both ASA inspection and firepower IPS ? 

 

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to ragulan_dms

‎11-01-2017 06:47 PM

Yes, ASA runs its own inspect and sends a copy of the packets to the Firepower module.

Firepower runs preprocessor and other advanced security (IPS, AMP...) on the connections and instructs the ASA to drop or reset a connection if needed.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card