cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

804
Views
10
Helpful
17
Replies
Highlighted
Beginner

Re: ASA with Firepower module

Hi Marvin,

Please see below and suggest.

asa# sh access-list sfr
access-list sfr; 1 elements; name hash: 0x7b320f74
access-list sfr line 1 extended permit ip any any (hitcnt=9328926) 0x57cb890e
asa# sh access-list sfr
access-list sfr; 1 elements; name hash: 0x7b320f74
access-list sfr line 1 extended permit ip any any (hitcnt=9344021) 0x57cb890e

 

class-map sfr
match access-list sfr

 

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect icmp error
inspect ip-options
class global_class
flow-export event-type all destination X.X.X.X
class sfr
sfr fail-open

 

asa# sh service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 9897398, packet output 9897461, drop 0, reset-drop 0

asa# sh service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 9897868, packet output 9897931, drop 0, reset-drop 0

Highlighted
Beginner

Re: ASA with Firepower module

Hi . I have recently setup firesight management center and tried to add firepower in FMC but got error.

Actually Firepower is at location A and FMC resides in location B and both location are connected through sitetosite IPSec VPN. Do i need to put nat-id here.

I am able to ping FMC from firepower.

Highlighted
Hall of Fame Guru

Re: ASA with Firepower module

You only need nat-id if the address of one or both ends appears as a NATted address to the peer.

Can you share the exact error that you received?