cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2450
Views
10
Helpful
17
Replies

ASA with Firepower module

Anukalp S
Level 1
Level 1

Hi.. I have been running cisco ASA 5545 X with firepower module installed, it has two storage device with model number- Micron_M600 ( not sure if it is SSD). However firepower module has setup and is showing up(ver 6.2.0).

I will be going to build FMC also to manage it.

I need your help to guide me to send traffic in/out from ASA towards firepower so that traffic could get inspect, policies could get applied on traffic through firepower.

Please suggest in what should i accomplish it.

 

17 Replies 17

Hi Marvin,

Please see below and suggest.

asa# sh access-list sfr
access-list sfr; 1 elements; name hash: 0x7b320f74
access-list sfr line 1 extended permit ip any any (hitcnt=9328926) 0x57cb890e
asa# sh access-list sfr
access-list sfr; 1 elements; name hash: 0x7b320f74
access-list sfr line 1 extended permit ip any any (hitcnt=9344021) 0x57cb890e

 

class-map sfr
match access-list sfr

 

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect icmp error
inspect ip-options
class global_class
flow-export event-type all destination X.X.X.X
class sfr
sfr fail-open

 

asa# sh service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 9897398, packet output 9897461, drop 0, reset-drop 0

asa# sh service-policy sfr

Global policy:
Service-policy: global_policy
Class-map: sfr
SFR: card status Up, mode fail-open
packet input 9897868, packet output 9897931, drop 0, reset-drop 0

Hi . I have recently setup firesight management center and tried to add firepower in FMC but got error.

Actually Firepower is at location A and FMC resides in location B and both location are connected through sitetosite IPSec VPN. Do i need to put nat-id here.

I am able to ping FMC from firepower.

You only need nat-id if the address of one or both ends appears as a NATted address to the peer.

Can you share the exact error that you received?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: