Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
840
Views
0
Helpful
5
Replies

ASA 5505 lost connection to Firesight

Go to solution
sebastienbellinger33134
Level 1
Level 1

‎12-03-2019 04:39 PM - edited ‎02-21-2020 09:44 AM

We have a VMware Firesight server in one office and 3 ASA 5505 appliances. I made a configuration change on the Firesight server by adding a DNS rule that ended up blocking the connecting from an ASA in a remote office from the Firepower management server. Is there a way to modify the firepower policy on the ASA from CMD to allow the ASA to connect to the management server again? Maybe rollback deployment or whitelist the remote server? Currently all internet traffic is being blocked at the remote office because of this new policy.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sebastienbellinger33134

‎12-04-2019 10:16 PM

If you have both images running (ASA with FirePOWER) then your standard ASA features (L3/L4 ACLs, NAT, VPN, etc) are still managed independently from the FMC. Thus, if the connectivity is broken due to ASA configurations then you should be able to make the appropriate changes via CLI/ASDM. If the connectivity is broken due to rules in the FirePOWER module then you can re-configure the ASA to bypass the module temporarily so you can restore the connectivity, then make the appropriate changes in the FMC and then re-configure the ASA again to inspect traffic through the FirePOWER module. 

You have two options to temporary bypass the FirePOWER module:

  1. Completely remove the traffic-redirection in your policy-map
  2. Utilize the "monitor-only" keyword in your policy-map. This will essentially instruct the FirePOWER module to only monitor the redirected traffic without taking any action (Drop, Trust, Allow)

For more information on this, you can reference the following link:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-03-2019 05:16 PM

Hi there-

  • 5505s do not run FTD/Firepower so perhaps you meant a different hardware model?
  • To answer your question: Currently, there is no rollback functionality. Thus, you will have to restore the connectivity between the FMC and the managed Firewall via another device/method. 
  • If you want to have a local and centralized management, I would recommend looking into FDM (On box) with CDO (Centralized cloud management). 

Thank you for rating helpful posts!

0 Helpful

Go to solution
sebastienbellinger33134
Level 1
Level 1
In response to nspasov

‎12-03-2019 05:48 PM

Sorry. I meant 5506 and 5508. Is it possible to unregister the asa and edit the policy from ADSM?
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sebastienbellinger33134

‎12-03-2019 07:50 PM

Are you running the unified image (FTD) or ASA with FirePOWER services where you have both the ASA and Firepower software running?

Thank you for rating helpful posts!

0 Helpful

Go to solution
sebastienbellinger33134
Level 1
Level 1
In response to nspasov

‎12-04-2019 02:38 AM

Both ASA and firepower running.
0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sebastienbellinger33134

‎12-04-2019 10:16 PM

If you have both images running (ASA with FirePOWER) then your standard ASA features (L3/L4 ACLs, NAT, VPN, etc) are still managed independently from the FMC. Thus, if the connectivity is broken due to ASA configurations then you should be able to make the appropriate changes via CLI/ASDM. If the connectivity is broken due to rules in the FirePOWER module then you can re-configure the ASA to bypass the module temporarily so you can restore the connectivity, then make the appropriate changes in the FMC and then re-configure the ASA again to inspect traffic through the FirePOWER module. 

You have two options to temporary bypass the FirePOWER module:

  1. Completely remove the traffic-redirection in your policy-map
  2. Utilize the "monitor-only" keyword in your policy-map. This will essentially instruct the FirePOWER module to only monitor the redirected traffic without taking any action (Drop, Trust, Allow)

For more information on this, you can reference the following link:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

I hope this helps!

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card