Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1478
Views
0
Helpful
2
Replies

ASA/FirePower Access Control and NAT

Matthew
Level 1
Level 1

‎10-22-2015 02:22 PM - edited ‎03-10-2019 06:29 AM

When implementing FirePower services on an ASA and managing it with FireSight in an enviroment with existing ACL's and NAT statement on the ASA, will creating access control policies and nat statements through FireSight take precedence over the local rules? For example, if there is a webserver on the inside interface of the firewall which has a static nat translation created via cli on the asa, would I want to create this rule (access control and NAT) in FireSight then simply remove the rule from the ASA?

Labels:
0 Helpful
2 Replies 2

ArchiTech89
Level 1
Level 1

‎10-22-2015 05:51 PM

It's my understanding that the "Access Control Policies" in FirePOWER are only there for the purpose of sifting traffic out for applying the Intrusion Policies to. Basically, it's so the ASA can figure out what traffic needs to be scanned (or in these cases, what get fast-pathed by it).

It flows like this: traffic enters the ASA and is decrypted if it's VPN. Then firewall policies are applied (there's no need to scan the traffic if it's denied already). THEN it goes to the SFR module. That's when FP checks it's own filters and does its thing. Then it passes everything left over back to the firewall.

So I would say, no, you don't want to create anything in FireSIGHT that duplicates what you're already doing on the firewall. Let the firewall handle its things, and SourceFire handle its own by just looking at the traffic left over and deciding whether it might be malicious.
 

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Matthew
Level 1
Level 1
In response to ArchiTech89

‎10-22-2015 06:15 PM

That does seem to make more sense to me now since the initial policy map does not define which traffic should be inspected or sent to the module, and that in Cisco documentation it is typically applied to the global service policy.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card