Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
5
Helpful
6
Replies

ASA firepower module Configuration help

Go to solution
kajumblies15
Level 1
Level 1

‎01-04-2023 12:38 PM

Hello, 

I am working on an ASA 5555x with a firepower module. I am struggling to determine if my configurtation is working in regards to traffic making it to the module and back out to the ASA. What i am attempting to achieve here is all traffic coming in should do their normal ACL check then go to the firepower module and be ether allowed or denied based upon an access control rule in the ASA Firepower configuration section of ASDM. I would like to see traffic stop making it across if i set the access control rule on the module to block right now its not working. I have created the service policy to redirect to the module but i cannot tell if its working since the block access control policy is not working. 

Thank You

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to kajumblies15

‎01-05-2023 12:49 AM

Use the command "clear service-policy global" to clear the statistics for the policy map counters.  This will make it easier to see the counter increase or not.  If it is not increasing it possibly means that there is an issue with traffic matching in the class-map.

But as I requested earlier, it will be a little easier to understand what is happening if we see the configuration of the devices in question.  Please remember to remove any  sensitive information from the configuration such as usernames, passwords and public IPs before posting it to the forum.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marius Gunnerud
VIP
VIP

‎01-04-2023 01:32 PM

We would need to see your ASA running configuration as well as the FirePOWER module configuration to get a better idea of what might be happening.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-04-2023 01:39 PM

adding to other post 

you can check :

show service-policy sfr

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
kajumblies15
Level 1
Level 1

‎01-04-2023 01:53 PM

I can provide the configs. When i run the show service-policy sfr it shows that there are packets going in and out. However that number doesn't increment and the outgoing packets don't go to zero when i try to set a block all rule in the module.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to kajumblies15

‎01-04-2023 01:58 PM

post the output here and config as requested for better advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to kajumblies15

‎01-05-2023 12:49 AM

Use the command "clear service-policy global" to clear the statistics for the policy map counters.  This will make it easier to see the counter increase or not.  If it is not increasing it possibly means that there is an issue with traffic matching in the class-map.

But as I requested earlier, it will be a little easier to understand what is happening if we see the configuration of the devices in question.  Please remember to remove any  sensitive information from the configuration such as usernames, passwords and public IPs before posting it to the forum.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
kajumblies15
Level 1
Level 1
In response to Marius Gunnerud

‎01-06-2023 06:38 AM

This worked perfectly. I was able to tweak the firepower access controll rules and starting out with clear counters helped a lot and things are properly incrementing packet wise. Thank You

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card