Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1716
Views
0
Helpful
2
Replies

ASA Servicepolicy bypass for Firepower

Go to solution
Christian Juel-Jensen
Level 4
Level 4

‎08-10-2015 03:11 AM - edited ‎03-11-2019 11:24 PM

Hi, I have set up a servicepolicy to redirect all traffic for a subnet to the Firepower module on my ASA. However there are certain ip addresses on that IP network that i would like to ommit from redirection to the Firepower module. I have tried to create an access-list that looks like this

 

access-list LAN_mpc; 2 elements; name hash: 0x3fb4708
access-list LAN_mpc line 1 extended deny ip host 10.8.0.51 any (hitcnt=620) 0x39f3c679
access-list LAN_mpc line 2 extended permit ip 10.0.0.0 255.0.0.0 any (hitcnt=405652) 0x5582c177

 

However traffic from the 10.8.0.51 is still being redirected to the Firepower module.

How can i make sure that traffic from specific addresses are ommited from the Firepower redirection in the same service policy?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee

‎08-10-2015 06:36 AM

Hi Christian,

 

The ACL is correct. However, traffic destined to the same IP will still be matched. Maybe that's the traffic you are seeing. 

 

Something also important is that any connection already sent, will still be inspected by the module until the connection times out or is cleared out. You can check if the connections for this host are being inspected using the following command:

 

show conn address 10.8.0.51

 

If the connections are marked with a cap "X" flag, the connection is being sent to the module. 

 

If this is not the case, could you please paste your policy-map and class-map outputs? 

 

- Cesar.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Cesar Gustavo Lopez Zamarripa
Cisco Employee
Cisco Employee

‎08-10-2015 06:36 AM

Hi Christian,

 

The ACL is correct. However, traffic destined to the same IP will still be matched. Maybe that's the traffic you are seeing. 

 

Something also important is that any connection already sent, will still be inspected by the module until the connection times out or is cleared out. You can check if the connections for this host are being inspected using the following command:

 

show conn address 10.8.0.51

 

If the connections are marked with a cap "X" flag, the connection is being sent to the module. 

 

If this is not the case, could you please paste your policy-map and class-map outputs? 

 

- Cesar.

 

0 Helpful

Go to solution
Christian Juel-Jensen
Level 4
Level 4
In response to Cesar Gustavo Lopez Zamarripa

‎08-11-2015 06:45 AM

Hi, thanks for the follow up. Seems i was not patient enough.

 

It works correctly now with the above Access-list

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card